Exam AZ-700 topic 5 question 3 discussion

The order is wrong. If you need to avoid service interruption "Deny Public Access and Private Endpoint" should be configured at last

Think through the steps and this is and easy question to answer. + 5 Deploy VM This VM is for DNS. + 1 Install DNS Role and create DNS forward entry DNS server in Azure has blob.core mapped to IP address 168.63.129.16 + 2 ON-prem DNS to VM The on prem DNS server lookup requests for blob need to be forwarded to the DNS server in Azure with the blob.core to IP address mapping. + 3 Private-endpoint creation and disable public access – With DNS settings complete users can connect to blob, without interruption. Public access can be disabled. Not sure why 4 could not be used in place of creating VM and installing DNS role. I suspect is has something to do with interruption of service. But since we aren't told how they are accessing the blob now who knows.

Configure a private endpoint on storageaccount1 and disable public access to the account Deploy a virtual machine to a subnet in Vnet1 Install the DNS server role and configure the forwarding of blob.core.windows.net to 168.63.129.16 Configure on-premises DNS servers to forward blob.core.windows.net to the virtual machine

If you set up the PEP and deny public access first, you interrupt access to the storage for onsite users (who are using Public Access). You need to set up the DNS solution first, which will initially still give the Public IP resolution so maintain access. Then you add the PEP and remove public Access. DNS will cut over to the PEP IP and users will continue to access it that way. Of course, with DNS caching of the storages Public IP access, users will still get some interruptions to access... To actually do this without interruption, you would need to create a static record in DNS for the storage accounts PEP first, then add the forwarder, wait for the TTL for the Public DNS records on the clients to expire, then remove the static entry. to let the forwarder take control.

From where do i get the info what the ip is ?!

Answers are as following: 1. Deploy a virtual machine to a subnet in Vnet1 2. Install DNS server role and configure the forwarding of blob.core.windows.net to 168.63.129.16 3. Configure on-premises DNS servers to forward blob.core.windows.net to the virtual machine (This is assuming that there is an IPsec connection from your on-premises to your Azure Virtual Environment). 4. Configure a private endpoint on storageaccount1 and disable public access to the account. (This is option is done on last due that a storage account can only have one type of access mode at a time, if we set this option by first, we will be interrupting the access publicly and the question says that we need to avoid service interruption.) The option of: Configure on-premises DNS server to forward blob.core.windows.net to 168.63.129.16 is wrong due that the ip addres: 168.63.129.16 exists only in Azure Environment and our On-premises network won't know any route of how to get to that network.

This is what I was doing, without really thinking about the disruption. After seeing the comments and thinking back on my answer, I think the key is to simply pause between enabling the private endpoint and disabling public access to allow DNS to propagate after you add the PE. - deploy vm - install dns - on-prem dns forwards to vm - configure private endpoint on storage account - [ insert pause here] then disable public access

Very similar setup described here : https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

To avoid service disruption you would have to do the Private Endpoint last. Otherwise you've lost access until you have finished building the VMs and installing DNS etc.

on exam today

Appeared on exam Jun/28/22

5. Deploy a virtual machine to a subnet in Vnet1 5. Deploy VM. This VM is for DNS. 1. Install the DNS server role and configure the forwarding of blob.core.windows.net to 168.63.129.16 1. Install DNS Role and create DNS forward entry. DNS server in Azure has blob.core.windows.net mapped to IP address 168.63.129.16 2. Configure on-premises DNS servers to forward blob.core.windows.net to the virtual machine 2. ON-prem DNS to VM The on prem DNS server lookup requests for blob need to be forwarded to the DNS server in Azure with the blob.core.windows.net to IP address mapping. 3. Configure a private endpoint on storageaccount1 and disable public access to the account 3. Private-endpoint creation and disable public access With DNS settings complete users can connect to blob, without interruption. Public access can be disabled. Avoid service interruption "Deny Public Access and Private Endpoint" should be configured at last

Appeared on exam 6/27/2022

Appeared on exam 6/27/2022

Variant on exam 1/6/2022

Correct Order: 5 1 2 3

VM>DNSRole +FwdtoAzureDNA+ ON-premDNStoFwdtoAzureVM +Private-endpoint creation