Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 422

HOTSPOT

-

You have an Azure subscription that contains the virtual machines shown in the following table.

Subnet1 and Subnet2 have a network security group (NSG). The NSG has an outbound rule that has the following configurations:

• Port: Any

• Source: Any

• Priority: 100

• Action: Deny

• Protocol: Any

• Destination: Storage

The subscription contains a storage account named storage1.

You create a private endpoint named Private1 that has the following settings:

• Resource type: Microsoft.Storage/storageAccounts

• Resource: storage1

• Target sub-resource: blob

• Virtual network: VNet1

• Subnet: Subnet1

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
billo79152718

Correct is: Yes, Yes, Yes Excat same question appears here on a AZ-700 Exam: https://www.examtopics.com/discussions/microsoft/view/64022-exam-az-700-topic-4-question-5-discussion/

billo79152718

I just used alot of time investigating this. Spare your time it is: YES YES YES

Nava702

I think you guys missed the target sub resource in the Private endpoint. It is only for BLOB, so access to container would still use public IP, and it blocked by the service tag rule on the NSG. First one is NO imo.

JaridB

1. From VM2 you can create a container in storage1? No 2. From VM1 you can upload data to the blob storage of storage1? Yes 3. From VM2, you can upload data to the blob storage of storage1? No Let's break down the reasoning: NSG rule: The outbound rule in the NSG denies all traffic to storage accounts (destination: Storage). This rule applies to both VM1 and VM2 as they are both in the VNets (VNet1/Subnet1 and VNet1/Subnet2) associated with the NSG. Private endpoint: The private endpoint (Private1) allows VM1 in Subnet1 to access the blob storage (target sub-resource: blob) of storage1. This creates a private connection that bypasses the NSG rule for VM1. However, VM2 is not in Subnet1 and doesn't have access through the private endpoint. Therefore, VM1 can leverage the private endpoint to access storage1 while VM2 is restricted by the NSG rule.

jorgesoma

Agree. NYN

daz_rekka

Private Endpoints ignore the NSG so Yes/Yes/Yes.

MCC_Examtraining

Not anymore. They added NSGs for private Endpoints: https://azure.microsoft.com/en-us/updates/general-availability-of-network-security-groups-support-for-private-endpoints/ So my suggestion is: No, because the NSG gets applied. Yes, because the private endpoint of storage account and the VM1 are in the same Subnet. The NSG doesnt get applied. No, because the NSG gets applied.

sirio

The link you provided do not refer to the storage service tag. The question is if the storage service tag includes also the private point Private1. I didn't find any confirmation of that, so I would say the answer is YYY

Catlyn

From VM2, you can create a container in Storage1: No. The NSG outbound rule denies any outbound traffic to the destination "Storage" (which includes "storage1"). Therefore, VM2 will not be able to create a container in Storage1. From VM1, you can upload data to the blob storage of storage1: Yes. The private endpoint "Private1" is configured for blob storage access in "storage1" and is in Subnet1. The NSG outbound rule does not apply to VM1 as it is in Subnet1, so VM1 can upload data to the blob storage of storage1 through Private1. From VM2, you can upload data to the blob storage of Storage1: No. The NSG outbound rule denies any outbound traffic to the destination "Storage" (which includes "storage1"). Therefore, VM2 will not be able to upload data to the blob storage of Storage1.

Catlyn

Similar discussion at https://www.examtopics.com/discussions/microsoft/view/64022-exam-az-700-topic-4-question-5-discussion/

hfk2020

When I navigate to the NIC of the PVT Endpoint I get this Select a network interface below to see the effective security rules and associated network security groups. Scope Network interface (e.nic.4d04ad28-7810-457a-8e4c-6005b421ef7d) Associated NSGs: No associated NSGs found. Failed to retrieve effective security rules because network interface 'e.nic.4d04ad28-7810-457a-8e4c-6005b421ef7d' is not attached to a virtual machine. Tested in the lab created a VM in subnet 1 of the VNET and created the pvtendpoint in the subnet2 of the same VNET was able to connect to only the storage account on which the pvtendpoint was configured. The NSG was blocking access to all other storage accounts. The only way a pvtendpoint can be used in an NSG is when you assign it to a ASG and then you can play with it to stop it from being accessed. A good explanation of this concept can be found on the link https://www.youtube.com/watch?v=iL7_HocfbDM&ab_channel=AdamStuart

hfk2020

Correct answer is Yes Yes Yes

TheProfessor

Should be N N N No where it's mentioned about the permission/access policy. All the information is just for network layer, but asking questions for data layer.

sigvast

Correct answer is YYY The NSG rule has a service tag for Destination, a service tag is a list of public ip addresses. The connection to the private endpoint will no be blocked by this rule. VM1 and VM2 can connect to the private endpoint because intra-vnet traffic is allowed by default.

Alexbz

NSG rules applied to the subnet hosting the private endpoint are not applied to the private endpoint". So VM1can connect to storage1 without any NSG filtering. For VM2 as the subnet to subnet communication in a VNET is open by default, then VM2 has access to the storage1 through the Private Endpoint.

liorh

but the private endpoint is not applied to subnet 2

liorh

what is the correct answer?

ITFranz

To support the answer provided by JaridB. https://learn.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy?tabs=network-policy-portal By default, network policies are disabled for a subnet in a virtual network. To use network policies like user-defined routes and network security group support, network policy support must be enabled for the subnet. This setting only applies to private endpoints in the subnet and affects all private endpoints in the subnet. https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview To access more subresources within the same Azure service, more private endpoints with corresponding targets are required. In the case of Azure Storage, for instance, you would need separate private endpoints to access the file and blob subresources. Private endpoints support network policies. Network policies enable support for Network Security Groups (NSG), User Defined Routes (UDR), and Application Security Groups (ASG). Answer = N-Y-N

Jimmy500

This is what I am think about the question. 425 No, No, No,(If there is not access mentioned) If vms have an access then No,Yes,No I would answer like this but there is nowhere question says whether VMS has access on storage account or not. This makes sense to choose all No, no, No because as I mentioned there is not point that talks about access, if think there access for all vms we can choose No, Yes, No in this case. The reason for choosing No, yes, No is as following. No, because the NSG gets applied. Yes, because the private endpoint of storage account and the VM1 are in the same Subnet. The NSG doesn’t get applied. No, because the NSG gets applied. BR

Root7

N N N Access policies are not mentioned. We have to assume there are no RBAC roles assigned to Managed Identity of VM1 or VM2 / access is not granted using Vault Access Permissions.

TheProfessor

You are right. No where it's mentioned about the permission/access policy. All the information is just for network layer, but asking questions for data layer.

ESAJRR

Yes, Yes, Yes