Exam AZ-104 topic 6 question 59 discussion

Ok, I'm the first to comment, yeah! Not a reason to be very cheerful, as I've not worked with service endpoints in practice yet... But well, here's my take on this: NNY - N: The service endpoint policy only covers storage account contoso101, not contoso102 (in subnet2). In my interpretation that means that contoso102 is not accessible from VM1 (subnet1). - N: The service endpoint is only available for clients from subnet1, VM2 is in subnet2 and therefore doesn't have access. - Y: There's a service endpoint for Azure AD for subnet2, which VM2 can use, therefore a private IP address is sufficient to reach the service. (I am VERY much open to feedback and corrections on all this!)

NYN. N: VM1 in VNET1/Subnet1 traffic is limited by the endpoint policy to ONLY the constoso101.(see Ref1) Y: VM2 in subnet 2, there's no sevice enpoint for subnet2 so it will reach out to it through the service Public IP, there's no mention that storage accounts are configuired to limit traffic to the VNET1 address space so we assume it's not configured. N: it uses public IP, Microsoft.AzureActiveDirectory is used only for supporting data late storages not for connecting to AzureAD/Entra doesn't support Service endpoints. Ref1: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#configuration Ref2: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#limitations

N,Y,Y 1- VM1 can access contoso102. VM1 is in Subnet1, which has a service endpoint policy applied. The policy only allows access to contoso101. Therefore, VM1 cannot access contoso102. Answer: No 2- VM2 can access contoso101. VM2 is in Subnet2. The service endpoint policy that restricts access to only contoso101 is not applied to Subnet2, based on the policy warning: “You will need to associate it to one or more subnets...” Therefore, Subnet2 is not restricted and can access any storage account, including contoso101. Answer: Yes 3- VM2 uses a private IP address to access Azure AD. Azure Active Directory service endpoint is configured for Subnet2, where VM2 resides. Azure AD endpoints are routed through the VNet service endpoint, allowing private IP-based access. Answer: Yes

WRONG No Yes Yes

All are yes, you can access Storage accounts period. Stop getting confused just because you added a service endpoint. Service endpoints do not stop you from accessing storage accounts through the default public endpoint, they just provide a different way to access it, through the 'ol Micrsoft Backbone (sorry I'm on my 800th or so question now lol). The last one is Microsoft.AzureActiveDirectory Service Endpoint and yes it's through the private endpoint.

NYY Since Service Endpoint Enabled and Policy is locked towards a particular SA(Contoso101).. NO VM2 is subnet 2 which doesn't have a SA Service Endpoint hence can access all Storage accounts over Internet. yes Subnet 2 has AAD Service Endpoint making all traffic private towards azure AD. Yes

CORRECT ANSWER! NYY look at this - https://stackoverflow.com/questions/73769449/azure-difference-between-service-endpoint-and-private-endpoint-in-simple-terms

The service endpoint policy is not assigned to any subnets so it's useless until it's assigned, please correct me if i'm wrong. I guess the answers should be Y, Y, Y https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#limitations

VM1 can access contoso102. No, because the Microsoft.Storage service endpoint is configured for Subnet1, which VM1 is connected to, but the policy shown is specifically for contoso101. There is no indication that VM1 can access contoso102. VM2 can access contoso101. No, because VM2 is connected to Subnet2, and the Microsoft.Storage service endpoint is only configured for Subnet1, not Subnet2. Therefore, VM2 cannot access contoso101. VM2 uses a private IP address to access Azure AD. Yes, because the Microsoft.AzureActiveDirectory service endpoint is enabled for Subnet2, where VM2 is connected. This allows VM2 to access Azure AD using a private IP. Conclusion: Statement 1: No Statement 2: No Statement 3: Yes

Box 1: No The service endpoint policy only covers storage account contoso101, not contoso102 (in subnet2). and it has policy Box 2: Yes , VM2 can access contoso 101 VM2 is connected to VNet1/Subnet2. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. VM2 can directly access contoso101 using the service endpoint, because of same Vnet Box 3: Yes There's a service endpoint for Azure AD for subnet2, which VM2 can use, therefore a private IP address is sufficient to reach the service.

The Answer: VM1 can access contoso102. A. No VM2 can access contoso101. A. Yes VM2 uses a private IP address to access Azure AD. A. Yes Explanation: 1. VM1 can access contoso102 (No): VM1 is connected to VNet1/Subnet1. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. Since VM1 is not in the same subnet as the Microsoft. Storage service endpoint, it cannot directly access contoso102. 2. VM2 can access contoso101 (Yes): VM2 is connected to VNet1/Subnet2. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. VM2 can directly access contoso101 using the service endpoint. 3. VM2 uses a private IP address to access Azure AD (Yes): VM2 uses a private IP address to communicate with Azure AD (Azure Active Directory). Azure AD communication does not require public IP addresses. In summary, VM1 cannot access contoso102, VM2 can access contoso101, and VM2 uses a private IP address for Azure AD communication

N,Y,Y https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#scenarios:~:text=Endpoint%20policies%20provide%20granular%20access%20control%20for%20virtual%20network%20traffic%20to%20Azure%20Storage%20when%20connecting%20over%20service%20endpoint.

Many people here seem to be missing something fundamental and that is how the Service Endpoints work. You're thinking like a compute engineer instead of like a network engineer. Sure, on a policy level nothing is stopping you from reaching the other storage account over the internet, but on a network level there is. "Service Endpoint" is just a fancy way of calling a network route that uses another gateway other than the default and redirects all the traffic for the service (in this case Azure Storage) over the MS internal network. As anyone familiar with their routing knows, if you add another route, as long as the traffic meets the criteria it will go through that route, the default route 0.0.0.0/0 will be used when there are no other routes available. In this case there is another route available, which is the one that goes over the Service Endpoint, so every and all traffic for Azure Storage will use that route and won't even consider touching the default route which goes over the internet. If you have that all your traffic is forced to pass through a single point, then can easily block whatever you want with a policy, or a firewall rule, or a proxy or whatever other means you have to do so.

No Yes Yes

NYY https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

NYY is correct

(1/2) Been researching this for the past hour or so..... makes my head spin. TL;DR Y Y Y Azure Files provides two main types of endpoints for accessing Azure file shares: Public endpoints, which have a public IP address and can be accessed from anywhere in the world. Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network. Enabling private endpoint does not automaticly disable the public one. The benefit of having a private endpoint is that you can secure your storage from any sort of public access. So with that we can assume that public endpoints are still online on these storage accounts, because there would be an explicit action to disable them, if so wanted.