You have the Azure resources shown in the following table.
You configure storage1 to provide access to the subnet in Vnet1 by using a service endpoint.
You need to ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region.
What should you do first?
To ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region, the first thing you need to do is create a virtual network in the paired Azure region. Service endpoints associate a subnet with a specific regional service. Since Vnet1 is in the East US region, you need a corresponding virtual network in the paired region to facilitate cross-region access. Configuring the firewall settings for storage1 is a necessary step but not the first action required for enabling access from a different region.
When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
Answer C. Agreed
"Local and cross-region service endpoints can't coexist on the same subnet. To replace existing service endpoints with cross-region ones, delete the existing Microsoft.Storage endpoints and re-create them as cross-region endpoints (Microsoft.Storage.Global)."
F#cking M$ are sneaky mofos! You really got to RTFQ with these bastards! It's asking what's the first thing you need to do. It's difficult to know exactly what's been done, and what needs to be done. Assuming nothing has been done, then configuring the vnets on the recovery site makes sense.
"Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance." https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#available-virtual-network-regions
By default, service endpoints work between virtual networks and service instances in the same Azure region. When using service endpoints with Azure Storage, service endpoints also work between virtual networks and service instances in a paired region. If you want to use a service endpoint to grant access to virtual networks in other regions, you must register the AllowGlobalTagsForStorage feature in the subscription of the virtual network. This capability is currently in public preview. Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance. When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts.
This is the excerpt from the link above Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance. When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. Then apply these rules to your geo-redundant storage accounts. if you read past the section that makes B the answer, you see the pre-requisite that makes C the answer
Answer is C. By enabling Service Endpoint for access to our Azure resource, we are limiting the access to the "storage account" only to private IP address. So, we won't longer need the usage of a public IP address or NATting settings like in a firewall. So, the option of the firewall is no longer suitable in this case. The first option about fail-over will work only if the primary "service point" fails, or for having active-active environment; but that will require too much effort.Plus, both "Subnet" and " Service endpoint" are located in the same region, it would be useful the "fail-over option if they are located in separated regions". The other option about adding an additional "service endpoint" doesn't make sense due that the question says that we will need to grant access via the "Service endpoint" that was created.
this is wrong. Service endpoints go via the public ip. That's there very difference compared to private endpoint
B is correct, its clearly mentioned in the documentation.
And which docuemntation is it , junior ?
Answer is obviously B as DevOpsJunior pointed out. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#available-virtual-network-regions "When using service endpoints with Azure Storage, service endpoints also work between virtual networks and service instances in a paired region." Lab tested.
Yes they do, but not at the same time. You cannot have a single subnet with both a local region service endpoint and a cross-region service endpoint (tested). The documentation states to set up a vnet in the paired local region with a local SE for DR purposes: "Local and cross-region service endpoints can't coexist on the same subnet. To replace existing service endpoints with cross-region ones, delete the existing Microsoft.Storage endpoints and re-create them as cross-region endpoints (Microsoft.Storage.Global)." https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
B, wth guys
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security When you configure network rules, only applications that request data over the specified set of networks or through the specified set of Azure resources can access a storage account. You can limit access to your storage account to requests that come from specified IP addresses, IP ranges, subnets in an Azure virtual network, or resource instances of some Azure services. Answer: B
i dont know why so man voted for C, but B is actually correct
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#:~:text=Azure%20Storage%20cross%2Dregion%20service%20endpoints
Appeared on Exam November -2023
An answer is needed to the question "ensure that you can use the service endpoint to connect to the read-only endpoint of storage1 in the paired Azure region" - and only possible answer is B Answer C is for the question - "What you should do to create a RA-GRS instance"
Documentation says: "When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance." But in our case the service endpoint for the Azure Storage already is in place. So this question is pretty unclear. If the Vnet also already is in place (we do not know for sure) then Firewall should be the next step.
who is to say that the paired Azure region does not have a VNet yet ...maybe it just needs that firewall rule on the storage?
In these exams you can't assume anything else exists unless it is 100% required for something that is stated to exist.
When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal
C is perhaps the right answer, you create a VNET on the paired region from where you will access the storage1
and PERHAPS instead of conjecturing, you should look for official Azure litterature to docuement your arguments, This is whole point.
Here is the literature: You cannot have a single subnet with both a local region service endpoint and a cross-region service endpoint (tested). The documentation states to set up a vnet in the paired local region with a local SE for DR purposes: "Local and cross-region service endpoints can't coexist on the same subnet. To replace existing service endpoints with cross-region ones, delete the existing Microsoft.Storage endpoints and re-create them as cross-region endpoints (Microsoft.Storage.Global)." https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal