Exam AZ-104 topic 5 question 138 discussion

I would go for Y N N 1) YES Virtual networks must be in the same region as the service endpoint policy. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations 2) NO - By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service as VNET2 is in diff region this policy is definetly not applied to subnet 2 3) NO - Policy allows all storage accounts + IMHO its not full vnet3 to be considered.

Answer is correct Box 1: Y Virtual networks must be in the same region as the service endpoint policy https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations Box 2: N VNet2 is in SEA Region, so it can only connect to the stoacc in SEA Region through Service Endpoint, which is storage3 Box 3: Y VNet3 is in the South Central US region, and so is the storage2

Y N N 1) Yes, since the location of Policy1 is South Central US and VNet3/Subnet3 is in that location, you can apply that policy to that Subnet because service endpoint policies can only be applied to the location they were created in. 2) No, because all storage accounts are accessible from VNet2 since it has a Service endpoint there. And similar to #1, the policy wouldn't affect VNet2 either since it's not really restricting anything. 3) No, because the policy allows access from VNet3/Subnet3 to all storage accounts.

WRONG Yes No No

- Policy1 can be applied to Subnet3 = Yes (Virtual Network + Service Endpoint must same region = South Central US) - Only storage1 and storage2 can be accessed from VNET2 = No (VNet2 different region) - Only storage2 can be accessed from VNET3 = No (Azure Storage (Microsoft.Storage) Generally available in all Azure regions)

- Policy1 can be applied to Subnet3 = Yes (Virtual Network + Service Endpoint must same region = South Central US) - Only storage1 and storage2 can be accessed from VNET2 = No (VNet2 different region) - Only storage2 can be accessed from VNET2 = No (VNet2 different region)

YNN 3) Access to Managed Storage Accounts stopped working after applying a Service Endpoint Policy over the subnet Managed Storage Accounts aren't supported with service endpoint policies. If configured, policies deny access to all Managed Storage Accounts, by default. If your application needs access to Managed Storage Accounts, endpoint policies shouldn't be used for this traffic.

The answer is correct Y,N,Y Please note the policy is applied at subscirption level, so option 3 is Y

Box 1: Yes subnet3 is in vnet3 which is in south central US region which has policy1 created. Box 2: No it will allow all not only storage 1, 2 Box 3: No policy applicable

1) YES Virtual networks must be in the same region as the service endpoint policy. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations 2) NO - By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service as VNET2 is in diff region this policy is definetly not applied to subnet 2 3) NO - According to this link : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations When Service Endpoint policies are applied on a subnet, the Azure Storage Service Endpoint scope gets upgraded from regional to global. This process means that all the traffic to Azure Storage is secured over service endpoint thereafter.

Yes No No

Y N N The policy is created, but not mentioned that it get applied!

Y - N - N You create a service endpoint policy named Policy1 in the South Central US Azure region to allow connectivity to all the storage accounts in the subscription. Thus all Vnets with the service endpoint can access any storage in the subscription So VNET2 and VNET3 can access storage 1, 2, and 3