Exam AZ-700 topic 4 question 5 discussion

Correct! Service Tag "storage" represents Azure Storage Accounts and can only be applied on the Outbound direction. Here the NSG is denying the access to any Storage account ( direction is Outbound, read well) and it is applied on the Subnet level not on the NIC level. No - VM2 being on the subnet 2 not on subnet 1 will be deny Yes - VM1 and Private 1 are in the same subnet so VM1 will have access N0 - VM2 has been denied the access by the NSG

According to this article https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints#network-security-group-rules-for-subnets-with-private-endpoints "NSG rules applied to the subnet hosting the private endpoint are not applied to the private endpoint". So VM1 would use private endpoint without any NSG filtering.

You have rule with 100 priority to deny Any traffic from any port to any destination. In short, all interactions via network is blocked, meaning box 1 and 3 are automatically a NO. We then have a private endpoint which permits the VM1 located in subnet1/VNet1 to access storage1. This makes Box 2 a YES

Guys! Stop arguing. It's obviously YNY ChatGPT Approved!

1. From VM2, you can create a container in storage1: No The NSG's outbound rule blocks any traffic from any source to the Storage service, including creating containers. The private endpoint is only for accessing blob storage and doesn't override NSG rules for other storage operations. 2. From VM1, you can upload data to a blob storage container in storage1: Yes The private endpoint in Subnet1 provides a private IP address for VM1 to access blob storage in storage1. Traffic to the private endpoint bypasses NSG rules, allowing VM1 to upload data to blobs. 3. From VM2, you can upload data to a blob storage container in storage1: No VM2 is not in the subnet where the private endpoint is configured (Subnet1). It cannot use the private endpoint to bypass the NSG rule, so outbound traffic to storage is still blocked.

Based on the below im voting NYN and hence given answer is correct First let’s get those facts outlined Subnet to Subnet communication within the same VNET is allowed by default and would need an explicit NSG rule to restrict and hence The default outbound NSG rule is to allow all VMs to communicate with each other and resources freely on same vNET, however if you create an outbound rule that overrides the default rule by giving it higher priority than the custom rule will override the default rule and this is the case in this scenario and hence communication is blocked to storage In order to enforce NSG on Private Endpoint – a Network plociy MUST be enabled for the vNET spscific to NSG, however in this case is NOT mentioned or enabled and hence NSG rules are NOT affecting the private Endpoint see further info as limit reached

n, y, n WHEN CREATING THE PRIVATE ENDPOINT FOR INBOUND ACCESS AGAINST THE STORAGE ACCT SA1, YOU ARE ESSENTIALLY BRINGING THAT SA INTO THE VNET1/SUBNET1 AS PER THE SETTINGS OUTLINED ABOVE. TH THE NSG IS APPLIED AT THE SUBNET LEVEL, THEREFORE, IT IS NOT APPLIED WHEN CONNECTING FROM A RESOURCE IN SUBNET 1 SUCH AS VM1. SINCE THERE IS NO PRIVATE ENDPOINT FOR SUBNET AND THE NSG APPLIES TO THAT SUBNET AS WELL THE OUTBOUND TRAFFIC TO SA1 WILL BLOCKED AS PER THE NSG DENY RULE.

This question seems old. Currently NSGs can be applied on PE subnets: https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal

I thought private endpoints ignores NSG's. Therefore everything should be yes

https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services Using service tags to allow or deny traffic to your Azure resources to and from public IP endpoints.

YYY - Service TAGS are for Public services IP, doesn't contains private endpoints so don't filter any flow to the private endpoint, even on VM NICs or if Network Policies For Private endpoint were enabled for the Subnet where the private endpoint is located. "https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services" https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services

In exam Feb, 2023

...I always wanted to say this... Tested in Lab... And i did just that. All answers are Y. Set the public access level of the containers to blob, did the nsg+rules to the subnets and 2 vms with bastion access and the private endpoint... all test where made with powershell from the vms ... Also pointing out that when the private endpoint was created a note was saying that if i have an nsg on the subnet given, it would be disabled for private endpoints on that subnet... so thats that...

will go with yes yes yes...it is very clear private endpoint connections are local and the dns resolution happens to a private IP of the private end point and service tag resolves to public IP wont be applicable here

NYN is Correct because. For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there's one, and then the rules in a network security group associated to the subnet, if there's one. This includes intra-subnet traffic as well.

NYN N - Outbound is Denied so VM2 can't jump to VM1. Y - Because of the Private Endpoint N - Same explanation as the first one.

NYN is correct! The NSG apply only a VM2 because the private endpoint is only for VM1. Easy!