Exam AZ-104 topic 6 question 38 discussion

My answer: 2 First service endpoint: One service endpoint for Microsoft.Storage added to VNET1. The question asks how many to add to VNET1. When adding service endpoints on the VNET1 side you only get to choose the service ( Microsoft.Storage ) not the actual storage accounts. Once you add this service endpoint it can be then linked to on the storage side for both accounts. Second Service Endpoint: Microsoft.AzureActiveDirectory. Total:2

Should be B, 2 service endpoints. VM is not a service endpoint type. So the first question is irrelevant. Both storage accounts must have service endpoints in vnet 1, so awnser should be 2

One for Microsoft.Storage One for Microsoft.AzureActiveDirectory

Communication with VNET2: To allow virtual machines in VNET1 to communicate with those in VNET2, you need a service endpoint for the Microsoft backbone network. This ensures that traffic between the two virtual networks stays within the Azure backbone, providing optimal connectivity. Access to Storage1 and Storage2: For virtual machines in VNET1 to access storage1 and storage2, you’ll need service endpoints for Azure Storage. These endpoints allow private IP addresses within VNET1 to reach Azure Storage services without requiring public IP addresses. Therefore, the minimum number of service endpoints to add to VNET1 is two: One for Microsoft backbone network (for communication with VNET2). Another for Azure Storage (for accessing storage1 and storage2). ANSwer: B

B is correct

One service endpoints for each Virtual Network that connects to storage accounts, so in this case only VNET1. On storage account there is no storage enpoint configuration. About connection on microsoft backbone beteween VNET1 and VNET2 such a service endpoint doesn't exist. About Service Endpoint: Microsoft.AzureActiveDirectory it's only for ADSL Gen 1. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#limitations

storage endpoint for both storage accounts

The answer is A Here is the simplest proof: Service Endpoints cannot be connected to vNets associated to virtual machines. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

You need a separate private endpoint for each storage resource that you need to access, namely Blobs, Data Lake Storage Gen2, Files, Queues, Tables, or Static Websites. On the private endpoint, these storage services are defined as the target sub-resource of the associated storage account. https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

I think the answer is B. Why? To meet the requirements of allowing virtual machines in VNET1 to communicate with virtual machines in VNET2 using the Microsoft backbone, as well as allowing access to Azure services such as Azure AD and Azure Storage using the Microsoft backbone, you should configure the following service endpoints in VNET1: - You wouldn't use service endpoints to enable communication between the VNETs. (Peering would be the likely solution for VNET to VNET communication) - Microsoft.Storage (For access to storage1 and storage2) - Microsoft.AzureActiveDirectory (For access to Azure AD) These service endpoints will enable traffic between the virtual machines in VNET1 and Azure Storage accounts (storage1 and storage2) and Azure Active Directory using the Microsoft backbone network. So, the minimum number of service endpoints to add to VNET1 is 2: Microsoft.Storage and Microsoft.AzureActiveDirectory. Please correct me if i'm wrong!

he Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Azure AD doesn't support service endpoints natively. So Answer is only one he Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Azure AD doesn't support service endpoints natively. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Only for the storage

Only 1 service endpoint is required for Storage account

K Vault is not mentioned so the answer is B bc is one endpoint per Storage A.

Vnet1&2 peering. 1 storage service endpoint, 1 AAD service endpoint. So answer is 2.

I think is 2

- VMs traffic is handled by the NIC using the private IP so 0 service endpoints. Moreover, it does not exist such a thing as a service endpoint for VMs. - We need 1 Microsoft.Storage service endpoint in VNET1 subnet. We will attach this subnet to each of the storage accounts. * it does not talk about connecting to the Key vaults, so no need to create a service endpoint for that.