ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-700 All Questions

View all questions & answers for the AZ-700 exam
Go to Exam

Exam AZ-700 topic 5 question 7 discussion

Actual exam question from Microsoft's AZ-700
Question #: 7
Topic #: 5
[All AZ-700 Questions]

HOTSPOT -
You have the Azure environment shown in the Azure Environment exhibit.

The settings for each subnet are shown in the following table.

The Firewalls and virtual networks settings for storage1 are configured as shown in the Storage1 exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: Yes -
The firewall allows VNet1\Subnet1 through the service endpoint.

Box 2: No -
The firewall does not allow VNet1\Subnet2 through the service endpoint.

Box 3: No -
The firewall allows 132.124.53.0/26 which means it allows all IP addresses between 132.124.53.0 and 132.124.53.63. The public IP of VM3 is 132.124.53.76 which is outside the allowed range.
by JulienYork at May 14, 2022, 6:30 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Jamesat
Highly Voted 2 years, 10 months ago
Correct tested in my lab. Yes, No, No For question 2 Subnet2 has a service endpoint but is not present in the Firewall settings so would be denied.
upvoted 25 times
Goofer
2 years, 5 months ago
IP network rules can't be used in the following cases: To restrict access to clients in same Azure region as the storage account. IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests. Source: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range Yes, Yes, No
upvoted 4 times
flurgen248
2 years, 3 months ago
I think it's Yes, No, No. IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-an-internet-ip-range The service endpoint routes traffic from the VNet through an optimal path to the Azure Storage service. Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in a VNet. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-a-virtual-network If you look at the storage1 networking image, there are separate sections for IP addresses and virtual networks. The section with IP addresses is the "IP Network rules" section, but since it's also using the "Virtual Network" section then you can only access storage1 using service endpoints that are explicitly listed.
upvoted 2 times
...
...
...
JulienYork
Highly Voted 3 years, 1 month ago
Box 1: Yes - The firewall allows VNet1\Subnet1 through the service endpoint. This is wrong in the answer Box 2: YES It is already accessing with service endpoint no need to access via firewall Box 3: No - The firewall allows 132.124.53.0/26 which means it allows all IP addresses between 132.124.53.0 and 132.124.53.63. The public IP of VM3 is 132.124.53.76 which is outside the allowed range.
upvoted 15 times
manhattan
5 months, 3 weeks ago
correct! the second one is a YES, firewall has no effect in service endpoints. look here: "Storage firewall rules only apply to the public endpoints of a storage account, not private endpoints. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint" https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#about-virtual-network-endpoints
upvoted 1 times
manhattan
5 months, 1 week ago
Actually I say Y,N,N Subnet 2 has no service endpoint
upvoted 1 times
...
...
0dc759b
9 months, 1 week ago
This is in range. /26 means you can made 4 subnet. to me box 3 should be yes etwork Address Usable Host Range Broadcast Address: 132.124.53.0 132.124.53.1 - 132.124.53.62 132.124.53.63 132.124.53.64 132.124.53.65 - 132.124.53.126 132.124.53.127 132.124.53.128 132.124.53.129 - 132.124.53.190 132.124.53.191 132.124.53.192 132.124.53.193 - 132.124.53.254 132.124.53.255
upvoted 1 times
stormtraining
7 months, 3 weeks ago
ip subnet masks does not work like that buddy... if it is saying 132.124.53.0/26 it means the subnet only goes until .63 which is the broadcast ip address so technically it goes until .62 for usable IPs only.... the next subnet to be allowed, in the firewall would have to be explicitly 132.124.53.64/26. then your comment will make sense.
upvoted 1 times
...
...
jellybiscuit
2 years, 9 months ago
I would agree with you if we were discussing private endpoints, as they bypass public access and firewall rules. Service Endpoints do not. VM2 can pass through subnet 1 to get to the endpoint, but it's source address is still subnet 2 which has not been granted access on the storage account. If a storage account has a Private Endpoint and no rules you can connect to it. If a storage account has a Service Endpoint and no rules you cannot connect to it. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-a-virtual-network "You can enable a Service endpoint for Azure Storage within the VNet. The service endpoint routes traffic from the VNet through an optimal path to the Azure Storage service. The identities of the subnet and the virtual network are also transmitted with each request. Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in a VNet. Clients granted access via these network rules must continue to meet the authorization requirements of the storage account to access the data."
upvoted 13 times
...
sapien45
2 years, 9 months ago
YYN, I concur
upvoted 3 times
sapien45
2 years, 8 months ago
I stand corrected by jellybiscuit YNN
upvoted 6 times
Ajdlfasudfo0
2 years, 7 months ago
you better go do AZ-900. seems to be more fitting your skill level
upvoted 1 times
Takloy
2 years, 6 months ago
the fact that you're using dumps to review is also not something to be proud of. everybody here is an AZ900 skill level.
upvoted 9 times
...
...
...
...
...
Lazylinux
Most Recent 1 year, 6 months ago
For sure YNN as per below from MS Doco Virtual network service endpoints are public and accessible via the internet. The Azure Storage firewall provides the ability to control access to your storage account over such public endpoints. When you enable public network access to your storage account, all incoming requests for data are blocked by default. Only applications that request data from allowed sources that you configure in your storage account firewall settings will be able to access your data. Sources can include the source IP address or virtual network subnet of a client, or an Azure service or resource instance through which clients or services access your data. Requests that are blocked include those from other Azure services, from the Azure portal, and from logging and metrics services, unless you explicitly allow access in your firewall configuration. continued next ==>
upvoted 1 times
Lazylinux
1 year, 6 months ago
A private endpoint uses a private IP address from your virtual network to access a storage account over the Microsoft backbone network. With a private endpoint, traffic between your virtual network and the storage account are secured over a private link. Storage firewall rules only apply to the public endpoints of a storage account, not private endpoints. The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-a-virtual-network Also during my testing i noticed the following, if i ADD vNET and chose subnet, the process will automatically create Service-Endpoint and hence having SEP doesnt mean you automatically granted access unless you are in the allow list of the FW otherwise Private Endpoint is ONLY way to bypass the FW
upvoted 1 times
...
...
Murad01
1 year, 6 months ago
Appeared on Exam November- 2023
upvoted 2 times
...
azure_dori
1 year, 10 months ago
Can somebody address the elephant in the room? VM1's IP address is 132.124.100.23. It doesn't belong to 132.100.53.0/25. Moreover, it doesn't belong to 132.124.53.0/26 either. How? Or rather WHY it has access to storage1?
upvoted 2 times
mabalon
1 year, 10 months ago
The subnet1 is allowed, check the config of the Storage networking
upvoted 2 times
...
...
TJ001
2 years, 5 months ago
Agree with Yes No No
upvoted 5 times
...
chatlisi
2 years, 5 months ago
According this, it should be Y, Y, N "With service endpoints, the source IP addresses of the virtual machines in the subnet for service traffic switches from using public IPv4 addresses to using private IPv4 addresses. Existing Azure service firewall rules using Azure public IP addresses will stop working with this switch." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
upvoted 1 times
_fvt
2 years, 2 months ago
Yes you are well explaining why the public allowed IP range will not allow the connection from VM2 and why the private IP addresses from VNet1/Subnet2 should be allowed instead (only VNet1/subnet1 is allowed if you look on the storage account configuration) So, Y,N,N.
upvoted 1 times
...
...
unclegrandfather
3 years ago
A version of this appeared on the exam Jun/28/22. Make sure you understand the concepts here
upvoted 2 times
...
pinchocr
3 years ago
You cannot filter public IPs when de vnet and the storage accounts are in the same regions. The answer is correct YES-NO-NO
upvoted 5 times
...
Jun_AZ500
3 years ago
Correct me if I'm wron gon Q2, the answer still No according to this https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal IP network rules can't be used in the following cases: To restrict access to clients in same Azure region as the storage account. IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests.
upvoted 1 times
...
jpetix
3 years, 1 month ago
But the Firewall in question in on the Service endpoint, and it only allows Vnet1, Subnet1.
upvoted 1 times
...
wsrudmen
3 years, 1 month ago
It's YES-YES-NO But I'm disagree with you Julien for Box2. VM2 is in Subnet2 that is not linked to the storage account like Subnet1. So VM2 can only access through Internet using it's public IP. And in The Firewall table VM2 is allowed. NB: Please correct me if i'm wrong
upvoted 2 times
Payday123
3 years ago
Question is if it access using service endpoint not public IP
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel