HOTSPOT
-
You have an Azure subscription that contains the virtual machines shown in the following table.
You have an Azure Cosmos DB account named cosmos1 configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
N,Y,Y Service endpoint is enabled for VNet1/Subnet1 so VM1 connects thou MS backbone to Cosmos DB instead of using Internet. Service endpoint is disabled for VNet1/Subnet2 so VM2 using its public IP address to connect to the Cosmos DB. There is no service endpoint for VNet2 then VM3 using its public IP address to connect to the Cosmos DB.
Sorry Alex, maybe I'm making a mistake, but the question does not specify that the service endpoint is enabled, only the security of the database, based on this the answer should be YES,NO,YES. where is the service endpoint specified?
In the screenshot endpoint status subnet1 enabled subnet2 disable
ChatGPT: If the VM is in a Virtual Network (VNet) and you've enabled service endpoints for Azure database services (like Azure SQL Database or Azure Cosmos DB), then the VM will access the database service over the Azure backbone network, and not over the public internet. This provides a secure and optimized route to access the database services.
Use Copilot. It's made by Microsoft and is retrieving from a much more up to date repository that is especially mature in Azure. ChatGPT is yesterdays news. Also AWS has an offering coming down the pipe. Big dogs coming in to steal it and make it better. /shrug
for all of them YES, since VM1 has a public IP and the Cosmos DB firewall allows internet access, VM1 can access Cosmos DB over the internet. The fact that vnet1/subnet1 has a service endpoint for Cosmos DB does not restrict access from the public internet. the same for the rest
N,Y,Y When Service Endpoint is enabled, it will always use the private IP only for that service. Public IP rules will fail.
Yes, No, Yes is correct
YYY, the FW was whitelisted and the you can access to the resource (CosmosDB) via internet.
All of them CAN. Even VM1 CAN but it won't
The CAN part (should have been WILL) is incorrectly worded as VM1 will access the service endpoint using its private IP because the endpoint status for subnet1 is enabled. If it was not enabled, then VM1 would have used its public IP to access the Cosmos DB.
Agree!! VM1 CAN but it won't
I assume that the correct answer depends on the interpretation of CAN. My ans would be: N,Y,Y If a service endpoint is enabled that the traffic would be routed through the Microsoft backbone. This mean that when VM1 will try to connect to the cosmos with the MSFT network and not with its public IP address. It is still technically possible for the VM1 to use its pubic ip address but the fact that the service endpoint is in place would make the traffic follow the backbone direction. Using the public ip is possible if the service endpoint is removed, this would change the question and I guess that it is not supposed to. VM2 has no service endpoint enabled and the public ip is in the correct range, so YES. VM2 has no service endpoint and the public ip is in the correct range, so YES.
In first question, it says, VM1 "CAN" access via internet. since its public ip range has been whitelisted, it CAN be accessed via internet even if subnet1 is removed from selected networks in 2nd question, public ip is whitelisted in selected networks, hence it is accessible via internet in 3rd Question, public IP is whitelisted hence db is accessible via intetnet. Answer is YYY
That's a tough question. VM1 "can" access the Internet, because it's not prohibited, but with this policy VM1 accesses with a private IP address...
"Once you enable service endpoints in your virtual network, you can add a virtual network rule to secure the Azure service resources to your virtual network. The rule addition provides improved security by fully removing public internet access to resources and allowing traffic only from your virtual network." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
ALL PUBLIC IPs of the VMs will have access to the COSMOS DB via the INTERNET, based on FIREWALL POLICY, the VIRTUAL NETWORK FILTERING shows VNET/SUBNET1 has an SERVICE ENDPOINT which means it will route via the MICROSOFT BACKBONE and not the INTERNET. VNET1/SUBNET2 does not so it will route via the INTERNET and VNET2/SUBNET is not listed at all so it will also route via the INTERNET. n, y, y