HOTSPOT
-
You have an Azure subscription that contains the resources shown in the following table.
VNet1 connects to a remote site by using a Site-to-Site (S2S) VPN that uses forced tunneling.
VNet1 contains the subnets shown in the following table.
The SQL subnet contains SQL1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
1- Yes To restrict inbound traffic to SQL1, you must modify an access rule in NSG1 as the NSG controls the traffic. 2- To enable VM1 to access storage1 by using the Microsoft backbone network, you must enable a service endpoint on the Default subnet. Yes: Service endpoints provide secure and direct connectivity to Azure services over the Microsoft Azure backbone network. Enabling a service endpoint for Microsoft.Storage on the Default subnet would ensure that traffic from VM1 to storage1 stays on the Microsoft backbone network. 3- You can deploy an App Service Environment to the Default subnet. No: Typically, an App Service Environment requires a dedicated subnet without any other resources deployed to it. The Default subnet may already contain other resources, and it's not dedicated solely to the App Service Environment. https://learn.microsoft.com/en-us/azure/app-service/overview-vnet-integration
Y/Y/N 1- Y 2- Y, S2S VPN is between VNet1 and the remote network, hence, we need Service Endpoint for the connection between VM1 and Storage1 as the VPN connection is not related to our connection here. 3 - N - Regarding third point, check this link: https://learn.microsoft.com/en-us/azure/app-service/environment/creation App Service Environment is a single-tenant deployment of Azure App Service. You use it with an Azure virtual network. You need one subnet for a deployment of App Service Environment, and this subnet can't be used for anything else.
given answer is correct
Y/Y/N Service endpoints provide optimal routing for Azure traffic. Endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network.24 avr. 2023
Given answer is correct. #2 - Service Endpoint and S2S connection cannot co-exist. So it is NO
this is a tricky question, we dont have info about where is the vm, we can supose that is on default subnet but could be on sql subnet, so, if we think that vm is on default subnet: 1, should be yes, but we have a lot of ways to configure inbound trafic, "must" maybe is a key word here 2, if we select yes here, like Yesvanth said the next one must be 3, no im going with YYN too
Answer: Yes Explanation: Since NSG1 is associated with the SQL subnet, modifying an access rule in NSG1 would be required to restrict inbound traffic to SQL1. To enable VM1 to access storage1 by using the Microsoft backbone network, you must enable a service endpoint on the Default subnet. Answer: No Explanation: VM1 is on VNet1, and enabling a service endpoint on the subnet where VM1 resides (not necessarily the Default subnet) would be required. There is no indication that VM1 is on the Default subnet. You can deploy an App Service Environment to the Default subnet. Answer: No Explanation: App Service Environments require a dedicated subnet that is not shared with other resources and has specific configurations. The Default subnet does not meet these requirements. Conclusion: Statement 1: Yes Statement 2: No Statement 3: No
1. Y 2. Y 3. N
Regarding 1: The default of an NSG is to block all incoming traffic. So, no need to restrict from outside requests. But it has an allow rule for traffic inside vnet. If you need to restrict the inter-vnet traffic you have to change the rule. So now everyone can decide what the question in mentioning about.
Network requirements The subnet in which SQL Managed Instance is deployed must have the following characteristics: 1)Dedicated subnet: The subnet SQL Managed Instance uses can be delegated only to the SQL Managed Instance service. The subnet can't be a gateway subnet, and you can deploy only SQL Managed Instance resources in the subnet. Subnet delegation: The SQL Managed Instance subnet must be delegated to the Microsoft.Sql/managedInstances resource provider. 2)Network security group: A network security group must be associated with the SQL Managed Instance subnet. You can use a network security group to control access to the SQL Managed Instance data endpoint by filtering traffic on port 1433 and ports 11000-11999 when SQL Managed Instance is configured for redirect connections. The service automatically provisions rules and keeps them current as required to allow uninterrupted flow of management traffic. https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql&tabs=current
As per the above information 1)Yes 2)Yes 3)No You need a subnet that has no resources assigned to it for App Service Environment VNET Integration since the SQL Managed instance subnet is dedicated so it means VM1 cannot be deployed in that Subnet, so the only subnet left is the default Subnet
ans: YYN
y= YOU RESTRICT ACCESS TO SQL VIA ITS NSG n = THERE IS NO NEED TO CREATE A SERVICE ENDPOINT SEEING AS ALL RESOURCES ARE NOT ONLY ON THE SAME SUBNET BUT THERE IS A VPN TUNNEL VIA ON-PREM AND AZURE n = THERE ARE THREE SUBNETS. ONE FOR SQL, THE OTHER FOR THE VPN GATEWAY N THE OTHER FOR VM 1 WHICH IS THE DEFAULT SUBNET. ASE MUST BE DEPLOYED ONTO ITS OWN SUBNET IN THE VNET OF YOUR CHOOSING.
CORRECTION!!: y ,y, n Y ) YOU RESTRICT ACCESS TO SQL VIA ITS NSG Y) THE SERVICE ENDPOINT MUST BE CREATED TO ENSURE THE TRAFFIC IS ROUTED VIA THE MICROSOFT BACKBONE. I EXPLAIN THIS IN DETAIL IN ANOTHER QUESTION. N) THERE ARE THREE SUBNETS. ONE FOR SQL, THE OTHER FOR THE VPN GATEWAY N THE OTHER FOR VM 1 WHICH IS THE DEFAULT SUBNET. ASE MUST BE DEPLOYED ONTO ITS OWN SUBNET IN THE VNET OF YOUR CHOOSING.
I think it's YYN. If option 2 is Y. The the third must be N.
My assessment was wrong