Exam AZ-305 topic 4 question 124 discussion

Box1: 1 AMPLS Box2: 2 PEs I tested this and used 1 AMPLS and 2 PEs. As long as the DNS settings are correct and the PEs resolve for each VM fine without overlapping IPs, with just 1 AMPLS you can make this work to as many VNETs you want. The key idea here is to have the proper DNS private zone settings configured and of course VMs to have network connectivity to the PE.

Final Answer: 1. 2 2. 2

I think the question is wrong - you cannot have a single Private DNS zone shared across isolated vnets - see: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design#isolated-networks

Just when you thought you understood how private endpoints work, Microsoft make it more complicated with this one...

Box1: 2 AMPLS https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design#peered-networks Box2: 2 PEs https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design#isolated-networks

Conform to https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design Peered vnets need only one AMPLS and 1 private end point. Non peered vnets need each an AMPLS and a private endpoint. So the answer seems to be: box 1: 2 (one for the vnet1+2, one for vnet3) box 2: 2 (one for the vnet1+2, one for vnet3)

AMPLS: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design#guiding-principle-avoid-dns-overrides-by-using-a-single-ampls Isolated: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design#guiding-principle-avoid-dns-overrides-by-using-a-single-ampls From the 2nd link for me it's clear that you need to deploy 2 AMPLS and 2 endpoints

Minimum number of Azure Monitor Private Link Scope (AMPLS) objects: 1 You can use a single Azure Monitor Private Link Scope to connect multiple VNets to a Log Analytics workspace. This minimizes administrative overhead. Minimum number of private endpoints: 3 Each VNet (VNet1, VNet2, and VNet3) will need a private endpoint to communicate securely with the Log Analytics workspace via the Microsoft backbone. Therefore, 3 private endpoints are necessary, one for each VNet.

My answer is 1 AMPLS and 2 PEs: Azure Monitor Private Link Scope (AMPLS): You only need one AMPLS object to associate with the Log Analytics workspace (Workspace1) and create private endpoints within that scope. Private endpoints: You need one private endpoint for each VNet (VNet1, VNet2, VNet3) to ensure that traffic from the virtual machines in those VNets to the Log Analytics workspace is routed over the Microsoft backbone network.

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design#:~:text=Peered%20networks,to%20different%20ones.

If your VNets share the same DNS configuration, you should use a single AMPLS for all of them

It should be AMPLS 2 and Private endpoint 2 (because the peering with vnet1 and vnet2)

box 1, AMPLS object should be: 2 One for VNet1 and VNet 2, since they are peered. And one for VNet3. It isolated from VNet1 and VNet2. Here is explanation: Peered networks Network peering is used in various topologies, other than hub and spoke. Such networks can share each other's IP addresses, and most likely share the same DNS. In such cases, create a single private link on a network that's accessible to your other networks. Avoid creating multiple private endpoints and AMPLS objects because ultimately only the last one set in the DNS applies. Isolated networks If your networks aren't peered, you must also separate their DNS to use private links. After that's done, create a separate private endpoint for each network, and a separate AMPLS object. Your AMPLS objects can link to the same workspaces/components or to different ones. Link from MS Learn: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design

given answer is correct.

Shouldn't the answer be 2 AMPLS -2 Private Endpoint?? Because of the isolated VNET3, for that another AMPLS and a Private Endpoint is necessary https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design