exam questions

Exam AZ-104 All Questions

View all questions & answers for the AZ-104 exam

Exam AZ-104 topic 6 question 59 discussion

Actual exam question from Microsoft's AZ-104
Question #: 59
Topic #: 6
[All AZ-104 Questions]

HOTSPOT
-

You have an Azure subscription that contains two storage accounts named contoso101 and contoso102.

The subscription contains the virtual machines shown in the following table.



VNet1 has service endpoints configured as shown in the Service endpoints exhibit. (Click the Service endpoints tab.)



The Microsoft.Storage service endpoint has the service endpoint policy shown in the Microsoft.Storage exhibit. (Click the Microsoft.Storage tab.)



For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Batiste2023
Highly Voted 1 year, 1 month ago
Ok, I'm the first to comment, yeah! Not a reason to be very cheerful, as I've not worked with service endpoints in practice yet... But well, here's my take on this: NNY - N: The service endpoint policy only covers storage account contoso101, not contoso102 (in subnet2). In my interpretation that means that contoso102 is not accessible from VM1 (subnet1). - N: The service endpoint is only available for clients from subnet1, VM2 is in subnet2 and therefore doesn't have access. - Y: There's a service endpoint for Azure AD for subnet2, which VM2 can use, therefore a private IP address is sufficient to reach the service. (I am VERY much open to feedback and corrections on all this!)
upvoted 25 times
Bloodygeek
10 months, 3 weeks ago
Agree with the answer NNY. However, for the first answer. By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that subnet. Access to all other storage accounts is denied. ref:https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview From the storage service endpoint configuration policy, you can see that only contoso101 was listed in RG1, East US. Bear in mind, contoso102 was not mentioned. The question did not mention what RG contoso102 was in. Even if contoso102 is in the same RG as contoso101, VM1 can not access contoso102 due to policy 1
upvoted 2 times
...
Indy429
11 months, 2 weeks ago
Oh and the answer to Q1 should be yes in my opinion: The subnet1 that is associated with VNet1 is set towards Microsoft.StorageAccount as per the second table. This indicates that an effective subnet has been created for the storage accounts and therefore, the answer should be Yes
upvoted 1 times
Bloodygeek
10 months, 3 weeks ago
By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that subnet. Access to all other storage accounts is denied. ref:https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview From the storage service endpoint configuration, you can see that only contoso101 was listed in RG1, East US. Bear in mind, contoso102 was not mentioned. The answer is No
upvoted 2 times
...
...
SDiwan
10 months ago
The first question is tricky. The policy is applied to RG1 and East US location. But we dont know if VNET1 is in RG1 and located in East US. So, that why I would ignore it and go by the service endpoint created for subnet1, and say the asnwer is YES.
upvoted 1 times
...
...
nchebbi
Highly Voted 1 year ago
NYN. N: VM1 in VNET1/Subnet1 traffic is limited by the endpoint policy to ONLY the constoso101.(see Ref1) Y: VM2 in subnet 2, there's no sevice enpoint for subnet2 so it will reach out to it through the service Public IP, there's no mention that storage accounts are configuired to limit traffic to the VNET1 address space so we assume it's not configured. N: it uses public IP, Microsoft.AzureActiveDirectory is used only for supporting data late storages not for connecting to AzureAD/Entra doesn't support Service endpoints. Ref1: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#configuration Ref2: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#limitations
upvoted 19 times
nchebbi
1 year ago
From Ref2 : "The Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Microsoft Entra ID doesn't support service endpoints natively. " From Ref1: "When Service Endpoint policies are applied on a subnet, the Azure Storage Service Endpoint scope gets upgraded from regional to global. This process means that all the traffic to Azure Storage is secured over service endpoint thereafter. The Service endpoint policies are also applicable globally. Any storage accounts that aren't explicitly allowed are denied access. You can apply multiple policies to a subnet. When multiple policies are associated to the subnet, virtual network traffic to resources specified across any of these policies are allowed. Access to all other service resources, not specified in any of the policies, are denied."
upvoted 5 times
...
...
SeMo0o0o0o
Most Recent 1 month, 1 week ago
WRONG No Yes Yes
upvoted 2 times
...
Dankho
1 month, 2 weeks ago
All are yes, you can access Storage accounts period. Stop getting confused just because you added a service endpoint. Service endpoints do not stop you from accessing storage accounts through the default public endpoint, they just provide a different way to access it, through the 'ol Micrsoft Backbone (sorry I'm on my 800th or so question now lol). The last one is Microsoft.AzureActiveDirectory Service Endpoint and yes it's through the private endpoint.
upvoted 2 times
...
sats08
2 months ago
NYY Since Service Endpoint Enabled and Policy is locked towards a particular SA(Contoso101).. NO VM2 is subnet 2 which doesn't have a SA Service Endpoint hence can access all Storage accounts over Internet. yes Subnet 2 has AAD Service Endpoint making all traffic private towards azure AD. Yes
upvoted 3 times
...
examprepboy
2 months, 1 week ago
CORRECT ANSWER! NYY look at this - https://stackoverflow.com/questions/73769449/azure-difference-between-service-endpoint-and-private-endpoint-in-simple-terms
upvoted 3 times
...
Sanaz90
2 months, 1 week ago
The service endpoint policy is not assigned to any subnets so it's useless until it's assigned, please correct me if i'm wrong. I guess the answers should be Y, Y, Y https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations
upvoted 1 times
...
Teerawee
3 months ago
VM1 can access contoso102. No, because the Microsoft.Storage service endpoint is configured for Subnet1, which VM1 is connected to, but the policy shown is specifically for contoso101. There is no indication that VM1 can access contoso102. VM2 can access contoso101. No, because VM2 is connected to Subnet2, and the Microsoft.Storage service endpoint is only configured for Subnet1, not Subnet2. Therefore, VM2 cannot access contoso101. VM2 uses a private IP address to access Azure AD. Yes, because the Microsoft.AzureActiveDirectory service endpoint is enabled for Subnet2, where VM2 is connected. This allows VM2 to access Azure AD using a private IP. Conclusion: Statement 1: No Statement 2: No Statement 3: Yes
upvoted 2 times
...
090200f
5 months, 2 weeks ago
Box 1: No The service endpoint policy only covers storage account contoso101, not contoso102 (in subnet2). and it has policy Box 2: Yes , VM2 can access contoso 101 VM2 is connected to VNet1/Subnet2. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. VM2 can directly access contoso101 using the service endpoint, because of same Vnet Box 3: Yes There's a service endpoint for Azure AD for subnet2, which VM2 can use, therefore a private IP address is sufficient to reach the service.
upvoted 5 times
Debugs_Bunny
2 months, 3 weeks ago
you need glasses or something? Service endpoint for Microsoft.Storage clearly shows subnet1. hence box 2 is: NO
upvoted 1 times
...
...
TechThameem
5 months, 2 weeks ago
The Answer: VM1 can access contoso102. A. No VM2 can access contoso101. A. Yes VM2 uses a private IP address to access Azure AD. A. Yes Explanation: 1. VM1 can access contoso102 (No): VM1 is connected to VNet1/Subnet1. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. Since VM1 is not in the same subnet as the Microsoft. Storage service endpoint, it cannot directly access contoso102. 2. VM2 can access contoso101 (Yes): VM2 is connected to VNet1/Subnet2. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. VM2 can directly access contoso101 using the service endpoint. 3. VM2 uses a private IP address to access Azure AD (Yes): VM2 uses a private IP address to communicate with Azure AD (Azure Active Directory). Azure AD communication does not require public IP addresses. In summary, VM1 cannot access contoso102, VM2 can access contoso101, and VM2 uses a private IP address for Azure AD communication
upvoted 4 times
...
WeepingMaplte
6 months, 1 week ago
N,Y,Y https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#scenarios:~:text=Endpoint%20policies%20provide%20granular%20access%20control%20for%20virtual%20network%20traffic%20to%20Azure%20Storage%20when%20connecting%20over%20service%20endpoint.
upvoted 2 times
...
mkhlszf
7 months ago
Many people here seem to be missing something fundamental and that is how the Service Endpoints work. You're thinking like a compute engineer instead of like a network engineer. Sure, on a policy level nothing is stopping you from reaching the other storage account over the internet, but on a network level there is. "Service Endpoint" is just a fancy way of calling a network route that uses another gateway other than the default and redirects all the traffic for the service (in this case Azure Storage) over the MS internal network. As anyone familiar with their routing knows, if you add another route, as long as the traffic meets the criteria it will go through that route, the default route 0.0.0.0/0 will be used when there are no other routes available. In this case there is another route available, which is the one that goes over the Service Endpoint, so every and all traffic for Azure Storage will use that route and won't even consider touching the default route which goes over the internet. If you have that all your traffic is forced to pass through a single point, then can easily block whatever you want with a policy, or a firewall rule, or a proxy or whatever other means you have to do so.
upvoted 3 times
...
Amir1909
8 months, 2 weeks ago
No Yes Yes
upvoted 7 times
...
sismer
11 months, 2 weeks ago
NYY https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview
upvoted 3 times
...
sismer
11 months, 2 weeks ago
NYY is correct
upvoted 4 times
...
ki01
11 months, 3 weeks ago
(1/2) Been researching this for the past hour or so..... makes my head spin. TL;DR Y Y Y Azure Files provides two main types of endpoints for accessing Azure file shares: Public endpoints, which have a public IP address and can be accessed from anywhere in the world. Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network. Enabling private endpoint does not automaticly disable the public one. The benefit of having a private endpoint is that you can secure your storage from any sort of public access. So with that we can assume that public endpoints are still online on these storage accounts, because there would be an explicit action to disable them, if so wanted.
upvoted 6 times
ki01
11 months, 3 weeks ago
(2/2) so with that information, now we see why the information about public IPs is provided. For our purpose the tier of public IP doesn't matter. Also from what i know, every server in Azure can reach Azure AD by default to get an access token for storage, so having AAD endpoints on each subnet is not needed. Lastly,i think while within azure a private IP is always used to connect to AAD but i might be wrong. still, it doesn't matter because Vm2, which is on subnet2, which has AAD endpoint attached to it, will use private IP for sure. The answers would be different if it was asked what type of IP (public/private) can be used to connect to each of the services. as it stands now, i can use public for both storages, which instantly eliminates two questions and the third one is set in stone as Yes due to having a private endpoint on the subnet if anyone wants to lab this, go ahead, after 500 questions, i'm running thin on enthusiasm.
upvoted 6 times
ki01
11 months, 3 weeks ago
sidenote: for the first guy to say "well what makes you think that public endpoints are enabled"? i ask what makes you think they are disabled? storage by default is created with a public endpoint and you need to go in and create a private one, not the other way around. best practice would be to disabled them for security, but these questions never rely on best practices, only on the mock situation that is created.
upvoted 1 times
...
...
marerad
5 months ago
I think this is correct, service endpoints do not block traffic it just define if the network path will use the Microsoft backbone network and not the standard internet path. SO everything is reachable in some way since it is on same VNet and last answer is YES because service endpoint is configured for Azure AD.
upvoted 1 times
...
090200f
5 months, 2 weeks ago
but for storage account contoso101 have policy rt
upvoted 1 times
...
...
SgtDumitru
1 year ago
YYY VM1 can access contoso102 over the internet, but it won't use the Microsoft.Storage service endpoint. VM2 can access contoso101 over the internet, but it won't use the Microsoft.Storage service endpoint. VM2 uses a private IP address to access Azure AD due to the presence of the Microsoft.AzureActiveDirectory service endpoint in Subnet2.
upvoted 7 times
tableton
8 months, 1 week ago
I agree, nothing is preventing VMs to access to SAs over the internet
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...