Exam AZ-700 topic 5 question 1 discussion

When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

C should be correct

B is the correct answer

B, wth guys

https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security When you configure network rules, only applications that request data over the specified set of networks or through the specified set of Azure resources can access a storage account. You can limit access to your storage account to requests that come from specified IP addresses, IP ranges, subnets in an Azure virtual network, or resource instances of some Azure services. Answer: B

i dont know why so man voted for C, but B is actually correct

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#:~:text=Azure%20Storage%20cross%2Dregion%20service%20endpoints

Appeared on Exam November -2023

An answer is needed to the question "ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region" - and only possible answer is B Answer C is for the question - "What you should do to create a RA-GRS instance"

F#cking M$ are sneaky mofos! You really got to RTFQ with these bastards! It's asking what's the first thing you need to do. It's difficult to know exactly what's been done, and what needs to be done. Assuming nothing has been done, then configuring the vnets on the recovery site makes sense.

Documentation says: "When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance." But in our case the service endpoint for the Azure Storage already is in place. So this question is pretty unclear. If the Vnet also already is in place (we do not know for sure) then Firewall should be the next step.

"Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance." https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#available-virtual-network-regions

who is to say that the paired Azure region does not have a VNet yet ...maybe it just needs that firewall rule on the storage?

When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

This is the excerpt from the link above Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance. When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts. if you read past the section that makes B the answer, you see the pre-requisite that makes C the answer

Answer is C. By enabling Service Endpoint for access to our Azure resource, we are limiting the access to the "storage account" only to private IP address. So, we won't longer need the usage of a public IP address or NATting settings like in a firewall. So, the option of the firewall is no longer suitable in this case. The first option about fail-over will work only if the primary "service point" fails, or for having active-active environment; but that will require too much effort.Plus, both "Subnet" and " Service endpoint" are located in the same region, it would be useful the "fail-over option if they are located in separated regions". The other option about adding an additional "service endpoint" doesn't make sense due that the question says that we will need to grant access via the "Service endpoint" that was created.

By default, service endpoints work between virtual networks and service instances in the same Azure region. When using service endpoints with Azure Storage, service endpoints also work between virtual networks and service instances in a paired region. If you want to use a service endpoint to grant access to virtual networks in other regions, you must register the AllowGlobalTagsForStorage feature in the subscription of the virtual network. This capability is currently in public preview. Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance. When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts.