Exam AI-102 topic 1 question 68 discussion

A. In VNet1, enable a service endpoint for CSAccount1. This allows you to secure your Azure service resources to the virtual network. E. In CSAccount1, modify the virtual network settings. This will allow you to configure CSAccount1 to accept connections only from the virtual network VNet1. Enabling service endpoints and modifying the virtual network settings for the AI Service resource will limit access to the resources within VNet1, effectively fulfilling both requirements.

In VNet1, enable a service endpoint for CSAccount1. This will allow you to connect your virtual network to your Azure AI Service resource securely over the Azure backbone network. In CSAccount1, modify the virtual network settings. This will allow you to configure virtual network rules that specify which subnets can access your Azure AI Service resource.

Enabling a service endpoint for CSAccount1 is correct because service endpoints allow secure and direct connectivity to Azure services over an optimized route within the Azure backbone network. This helps in preventing external access to CSAccount1 while ensuring the resource is accessible within the virtual network (VNet1). Modifying the virtual network settings in CSAccount1 is correct because this involves configuring the service to limit access to specific virtual networks and subnets, effectively preventing unauthorized external access. This configuration ensures that only resources within the specified virtual network can access CSAccount1, meeting the requirement of minimal administrative effort by leveraging built-in network security features. AE are the answers

ChatGPT confirms A and E

A - creating a service endpoint for csaccount1 on vnet1 ensures that its the only way of accessing the service and it ensures a secure connection E - adding network settings on service csaccount1 will ensure that the access is restricted to resources within vnet1

To ensure that only specific resources can access CSAccount1 and prevent external access while minimizing administrative effort, you should perform the following actions: A. In VNet1, enable a service endpoint for CSAccount1. E. In CSAccount1, modify the virtual network settings. Explanation: Enable a Service Endpoint for CSAccount1 (Action A): Service endpoints provide direct connectivity to Azure services over an optimized route over the Azure backbone network. By enabling a service endpoint for CSAccount1 on VNet1, you ensure that the traffic between VNet1 and CSAccount1 does not go over the internet, enhancing security and meeting the requirement to prevent external access. Modify the Virtual Network Settings in CSAccount1 (Action E): Configuring the virtual network settings in CSAccount1 allows you to specify which subnets within VNet1 can access the AI service. This way, you can control access at a more granular level and ensure that only specific resources within those subnets can access CSAccount1.

https://learn.microsoft.com/en-us/azure/ai-services/cognitive-services-virtual-networks?tabs=portal#configure-virtual-network-rules

From copilot : To achieve the desired requirements of preventing external access to CSAccount1 while minimizing administrative effort, consider the following actions: Configure network rules for CSAccount1: Go to the Azure AI services resource you want to secure. Under Firewalls and virtual networks, select Selected Networks and Private Endpoints. Deny access by default to all networks, including internet traffic. Then, configure rules to grant access only to traffic from specific virtual networks1. Create a virtual subnet in VNet1: This allows you to isolate resources within a specific subnet, ensuring that only authorized traffic can reach CSAccount1. Therefore, the correct answers are A. In VNet1, enable a service endpoint for CSAccount1 and D. In VNet1, create a virtual subnet. These actions align with the requirements and minimize administrative overhead.

ChatGPT: A and E

Dervices like Azure AI Search, Video Indexer, and Immersive Reader do not support VNet settings configuration. For such services, E is not a viable response.

A and E.

I will also vote for AE.

AE ... Do NOT think B is correct: The IAM controls do not necessarily help if the endpont and key are compromised; Have to use VNET controls to gate the service endpoints;

A. In VNet1, enable a service endpoint for CSAccount1. B. In CSAccount1, configure the Access control (IAM) settings. Explanation: A. Enabling a service endpoint for CSAccount1 in VNet1 allows traffic from the virtual network to reach CSAccount1 without traversing the public internet, thus preventing external access. B. Configuring the Access control (IAM) settings in CSAccount1 allows you to specify which specific resources or identities have access to CSAccount1. By configuring these settings, you can ensure that only specific resources can access CSAccount1, meeting the requirement to restrict access.

AE should be right

A. Enable a service endpoint for Azure AI services within the virtual network. The service endpoint routes traffic from the virtual network through an optimal path to the Azure AI service. https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/role-based-access-control B. Has default multiple Role-base access: Cognitive Services OpenAI User, Cognitive Services OpenAI Contributor, Cognitive Services Contributor, Cognitive Services Usages Reader You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item. For example, selecting Resource groups and then navigating to a specific resource group. Select Access control (IAM) on the left navigation pane. https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/role-based-access-control

A. In VNet1, enable a service endpoint for CSAccount1. Enabling a service endpoint for CSAccount1 in VNet1 will allow you to secure the Azure AI Service resource to a specific subset of networks. This means that only the applications requesting data over VNet1 will be able to access CSAccount1. It’s a way to ensure that the resource is only accessible from within the virtual network. E. In CSAccount1, modify the virtual network settings. By modifying the virtual network settings in CSAccount1, you can configure network rules that limit access to the resource. You would set the default network access rule to deny access to all networks, including the internet. Then, you can specify which virtual networks or subnets are allowed to access CSAccount1.