You need to provide access to storage2. The solution must meet the PaaS networking requirements and the business requirements. Which connectivity method should you use?
Azure Service Endpoint provides secure and direct connectivity to Azure PaaS services over an optimized route over the Azure backbone network.
Traffic still left your VNet and hit the public endpoint of PaaS service. ==> Then it can't meet the goal because of the public IP
Azure Private Link (or Private Endpoint) allows you to access Azure PaaS services over Private IP address within the VNet. It's then OK
A is the answer
Answer is D a service Endpoint.
If you only need a secure connection between the virtual network and another resource, you should use a service endpoint, which means your resources will still have public exposure and you will be accessing those resources using the public endpoint of the resource.
However, if you need to access your azure resources from on-premises through an Azure gateway, a regionally peered virtual network, or a globally peered virtual network, use a private endpoint. The private endpoint will allow connection using the private IP of the resources, eliminating the public exposure completely.
According to this link, service point is the answer:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#key-benefits
Service endpoints enable securing of Azure service resources to your virtual network by extending VNet identity to the service. Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. The rule addition provides improved security by fully removing public internet access to resources and allowing traffic only from your virtual network.
"Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet."
And it is cheaper
Service endpoints allow you to connect directly to Azure services (like storage accounts) from specific VNets. They extend your virtual network’s private IP space to Azure storage, ensuring access from VNet2 and VNet3 but preventing exposure of the public endpoint.
• You cannot use a private endpoint here because it is designed for specific resource access (like databases), and service endpoints are the preferred choice for storage.
The whole reason why service endpoints are there is to provide secure access from Azure subnets to supported services like storage accounts. If you don't use a SE in this case, then when? It has no cost compared to a private endpoint and you can select the subnets to give access to and block the others and the public access. The way it works is that it uses public IP but instead of the route being directed through the internet, it goes through the Microsoft backbone network. So even with public access blocked, it's still reachable from selected networks.
To provide access to storage2 while meeting the PaaS networking requirements and the business requirements, you should use Private Endpoint.
Private Endpoint allows a network interface with a private IP address to be created in your Azure Virtual Network (VNet). The private IP address provides secure and direct connectivity to your PaaS service, in this case storage2, over a private link. This ensures that the data between your VNet and storage2 traverses over the Microsoft backbone network, eliminating exposure to the public internet.
This method aligns with the business requirement of minimizing costs as it does not require any additional outbound data transfer costs that are associated with other methods like service endpoints. It also satisfies the PaaS networking requirement of making storage2 accessible from Vnet2 and Vnet3 without exposing the public endpoint of storage2.
Remember to set up the necessary DNS configurations for Private Endpoint to ensure that the requests to storage2 are routed through the private endpoint.
Service endpoint is free -- Business req --> minimise cost
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/service-endpoints-vs-private-endpoints/ba-p/3962134#:~:text=Cost,free%20of%20use)
This question is likely EOL given:
https://learn.microsoft.com/en-us/azure/expressroute/about-fastpath
Virtual network (VNet) Peering
FastPath sends traffic directly to any VM deployed in a virtual network peered to the one connected to ExpressRoute, bypassing the ExpressRoute virtual network gateway. This feature is available for both IPv4 and IPv6 connectivity.
So with FastPath to Vnet1, it sends traffic directly to Vnet2 and Vnet3 as well (both being peered). I take this to mean no new connections for the circuit needed, and no need for a gateway transit in the peering.
It doesn't matter if a service endpoint uses the public IP. You can still use it without EXPOSING it (the requirement listed). You would just have public access disabled.
"Virtual Network (VNet) Service Endpoint provides secure and direct connectivity to (native)Azure services"(NOT the private services provisioned by you).
Private Endpoint brings the private services provisioned by you(like Azure Storage, Azure SQL Database etc.) to the VNet.
Both answers are technically correct (As the public ip is already blocked) except when it comes to costs. Service Endpoints are free and private endpoints include additional costs. So to minimise costs use Service Endpoints.
Service end point still connect to public IP of the storage account ...The question should have been better phrased to have proper use case for service endpoint..I
Storage 1 can be accessed from on prem via Private Endpoint only (Service Endpoint does not support on prem access)
Storage 2 should be via Service Endpoint since the communication is within Azure only.
A - private endpoint
- a service endpoint does not remove the public endpoint. The storage account could be accessed both through the service endpoint and publicly.
I have a hard time imagining that service endpoint is the correct answer to any question that would appear on the test today.
This section is not available anymore. Please use the main Exam Page.AZ-700 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
wsrudmen
Highly Voted 2 years, 11 months agoBreadfan
8 months, 4 weeks agoBreadfan
8 months, 4 weeks agosiddique12345
1 year, 5 months agojeffangel28
2 years, 8 months agoerima21
2 years, 7 months agoPayday123
Highly Voted 2 years, 10 months agobobothewiseman
Most Recent 3 months agomanny72
8 months, 2 weeks agoSteveandlewis
12 months agocerifyme85
1 year, 2 months agocerifyme85
1 year, 1 month agoc2e9cb4
1 year, 3 months agoRododendron2
1 year, 4 months agoGBAU
1 year, 6 months agoGBAU
1 year, 6 months agoderp12352
1 year, 8 months agoJennyHuang36
2 years, 2 months agoenergie
2 years, 2 months agostaffo
2 years, 2 months agoTJ001
2 years, 3 months agochatlisi
2 years, 3 months agojellybiscuit
2 years, 6 months ago[Removed]
2 years, 7 months ago