Exam AZ-104 All QuestionsBrowse all questions from this exam
Question 545

HOTSPOT

-

You have an Azure subscription that contains two storage accounts named contoso101 and contoso102.

The subscription contains the virtual machines shown in the following table.

VNet1 has service endpoints configured as shown in the Service endpoints exhibit. (Click the Service endpoints tab.)

The Microsoft.Storage service endpoint has the service endpoint policy shown in the Microsoft.Storage exhibit. (Click the Microsoft.Storage tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
Batiste2023

Ok, I'm the first to comment, yeah! Not a reason to be very cheerful, as I've not worked with service endpoints in practice yet... But well, here's my take on this: NNY - N: The service endpoint policy only covers storage account contoso101, not contoso102 (in subnet2). In my interpretation that means that contoso102 is not accessible from VM1 (subnet1). - N: The service endpoint is only available for clients from subnet1, VM2 is in subnet2 and therefore doesn't have access. - Y: There's a service endpoint for Azure AD for subnet2, which VM2 can use, therefore a private IP address is sufficient to reach the service. (I am VERY much open to feedback and corrections on all this!)

Indy429

Oh and the answer to Q1 should be yes in my opinion: The subnet1 that is associated with VNet1 is set towards Microsoft.StorageAccount as per the second table. This indicates that an effective subnet has been created for the storage accounts and therefore, the answer should be Yes

Bloodygeek

By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that subnet. Access to all other storage accounts is denied. ref:https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview From the storage service endpoint configuration, you can see that only contoso101 was listed in RG1, East US. Bear in mind, contoso102 was not mentioned. The answer is No

Bloodygeek

Agree with the answer NNY. However, for the first answer. By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. Once a policy is configured on that subnet, only the resources specified in the policy can be accessed from compute instances in that subnet. Access to all other storage accounts is denied. ref:https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview From the storage service endpoint configuration policy, you can see that only contoso101 was listed in RG1, East US. Bear in mind, contoso102 was not mentioned. The question did not mention what RG contoso102 was in. Even if contoso102 is in the same RG as contoso101, VM1 can not access contoso102 due to policy 1

SDiwan

The first question is tricky. The policy is applied to RG1 and East US location. But we dont know if VNET1 is in RG1 and located in East US. So, that why I would ignore it and go by the service endpoint created for subnet1, and say the asnwer is YES.

nchebbi

NYN. N: VM1 in VNET1/Subnet1 traffic is limited by the endpoint policy to ONLY the constoso101.(see Ref1) Y: VM2 in subnet 2, there's no sevice enpoint for subnet2 so it will reach out to it through the service Public IP, there's no mention that storage accounts are configuired to limit traffic to the VNET1 address space so we assume it's not configured. N: it uses public IP, Microsoft.AzureActiveDirectory is used only for supporting data late storages not for connecting to AzureAD/Entra doesn't support Service endpoints. Ref1: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#configuration Ref2: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#limitations

nchebbi

From Ref2 : "The Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Microsoft Entra ID doesn't support service endpoints natively. " From Ref1: "When Service Endpoint policies are applied on a subnet, the Azure Storage Service Endpoint scope gets upgraded from regional to global. This process means that all the traffic to Azure Storage is secured over service endpoint thereafter. The Service endpoint policies are also applicable globally. Any storage accounts that aren't explicitly allowed are denied access. You can apply multiple policies to a subnet. When multiple policies are associated to the subnet, virtual network traffic to resources specified across any of these policies are allowed. Access to all other service resources, not specified in any of the policies, are denied."

clg003

YNY https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview Going to give it shot. Y Storage is generally accessible unless something restricts it, no service end point has been created on storage 1 so its public ip should still be accessible since there is no indication its been restricted. Creating the end point would have since you have to close the public ip to do so. N Since resource has service endpoint established its public access is restricted and since the service endpoint is scoped to subnet2 VMs in subnet1 cant access it. Y Since Azure AD Service endpoint is created for this resource and its scoped to subnet2 vms on subnet2 can access that resource as if it was in it's vnet using private endpoint.

trferreiraBR

Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet. After enabling a service endpoint, the source IP addresses switch from using public IPv4 addresses to using their private IPv4 address when communicating with the service from that subnet.

trferreiraBR

VM1 can access contoso102 VM1 is in VNET1/Subnet1. There is a service endpoint created to Microsoft.Storage from SubNet1, but there isn't a Virtual network service endpoint policy for Azure Storage to contoso102. By default, if no policies are attached to a subnet with endpoints, you can access all storage accounts in the service. VM2 can access contoso101 VM2 is in VNET1/Subnet2. There is a service endpoint created to Microsoft.Storage only from SubNet1 and there is a service endpoint policy to contoso101. Once a service endpoint policy exists and a Virtual network service endpoint policies for Azure Storage exists only to contoso101, then, it's not possible to access from other subnets. VM2 uses a private IP address to access Azure AD After enabling a service endpoint, the source IP addresses switch from using public IPv4 addresses to using their private IPv4 address when communicating with the service from that subnet.

trferreiraBR

Reference: https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq#virtual-network-service-endpoints https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services#service-endpoints

trferreiraBR

Answer: Y,N,Y

ignorica

Q1) VM1 is in Subnet1. Subnet 1 has the Service Endpoint as per Screenshot. Text says the Endpoint has the Endpoint Policy associated. The Endpoint policy allows only contoso101. VM1 is in Subnet1 -> how can VM1 access contoso102 if the Policy does not specify it in the resources? Something does not click here

ignorica

on top of that the wording of the question seems vague...nothing is specifying that Public Access over the Internet to the Storage accounts is disabled..

clg003

I have to change my last answer to N. One of the main differences between Service Endpoints and Private Endpoints is that in the service endpoints you still access the resources using their public IP addresses, but it comes from you private IP. I've seen this mentioned in several resources now... https://jeffbrown.tech/azure-private-service-endpoint/ (read the summary)

MatAlves

"Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet." "With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network." https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Amir1909

No Yes Yes

SgtDumitru

YYY VM1 can access contoso102 over the internet, but it won't use the Microsoft.Storage service endpoint. VM2 can access contoso101 over the internet, but it won't use the Microsoft.Storage service endpoint. VM2 uses a private IP address to access Azure AD due to the presence of the Microsoft.AzureActiveDirectory service endpoint in Subnet2.

tableton

I agree, nothing is preventing VMs to access to SAs over the internet

ki01

(1/2) Been researching this for the past hour or so..... makes my head spin. TL;DR Y Y Y Azure Files provides two main types of endpoints for accessing Azure file shares: Public endpoints, which have a public IP address and can be accessed from anywhere in the world. Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network. Enabling private endpoint does not automaticly disable the public one. The benefit of having a private endpoint is that you can secure your storage from any sort of public access. So with that we can assume that public endpoints are still online on these storage accounts, because there would be an explicit action to disable them, if so wanted.

ki01

(2/2) so with that information, now we see why the information about public IPs is provided. For our purpose the tier of public IP doesn't matter. Also from what i know, every server in Azure can reach Azure AD by default to get an access token for storage, so having AAD endpoints on each subnet is not needed. Lastly,i think while within azure a private IP is always used to connect to AAD but i might be wrong. still, it doesn't matter because Vm2, which is on subnet2, which has AAD endpoint attached to it, will use private IP for sure. The answers would be different if it was asked what type of IP (public/private) can be used to connect to each of the services. as it stands now, i can use public for both storages, which instantly eliminates two questions and the third one is set in stone as Yes due to having a private endpoint on the subnet if anyone wants to lab this, go ahead, after 500 questions, i'm running thin on enthusiasm.

ki01

sidenote: for the first guy to say "well what makes you think that public endpoints are enabled"? i ask what makes you think they are disabled? storage by default is created with a public endpoint and you need to go in and create a private one, not the other way around. best practice would be to disabled them for security, but these questions never rely on best practices, only on the mock situation that is created.

090200f

but for storage account contoso101 have policy rt

marerad

I think this is correct, service endpoints do not block traffic it just define if the network path will use the Microsoft backbone network and not the standard internet path. SO everything is reachable in some way since it is on same VNet and last answer is YES because service endpoint is configured for Azure AD.

090200f

Box 1: No The service endpoint policy only covers storage account contoso101, not contoso102 (in subnet2). and it has policy Box 2: Yes , VM2 can access contoso 101 VM2 is connected to VNet1/Subnet2. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. VM2 can directly access contoso101 using the service endpoint, because of same Vnet Box 3: Yes There's a service endpoint for Azure AD for subnet2, which VM2 can use, therefore a private IP address is sufficient to reach the service.

TechThameem

The Answer: VM1 can access contoso102. A. No VM2 can access contoso101. A. Yes VM2 uses a private IP address to access Azure AD. A. Yes Explanation: 1. VM1 can access contoso102 (No): VM1 is connected to VNet1/Subnet1. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. Since VM1 is not in the same subnet as the Microsoft. Storage service endpoint, it cannot directly access contoso102. 2. VM2 can access contoso101 (Yes): VM2 is connected to VNet1/Subnet2. The service endpoint for Microsoft.Storage is configured on VNet1/Subnet2. VM2 can directly access contoso101 using the service endpoint. 3. VM2 uses a private IP address to access Azure AD (Yes): VM2 uses a private IP address to communicate with Azure AD (Azure Active Directory). Azure AD communication does not require public IP addresses. In summary, VM1 cannot access contoso102, VM2 can access contoso101, and VM2 uses a private IP address for Azure AD communication

WeepingMaplte

N,Y,Y https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview#scenarios:~:text=Endpoint%20policies%20provide%20granular%20access%20control%20for%20virtual%20network%20traffic%20to%20Azure%20Storage%20when%20connecting%20over%20service%20endpoint.

sismer

NYY https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

sismer

NYY is correct

mkhlszf

Many people here seem to be missing something fundamental and that is how the Service Endpoints work. You're thinking like a compute engineer instead of like a network engineer. Sure, on a policy level nothing is stopping you from reaching the other storage account over the internet, but on a network level there is. "Service Endpoint" is just a fancy way of calling a network route that uses another gateway other than the default and redirects all the traffic for the service (in this case Azure Storage) over the MS internal network. As anyone familiar with their routing knows, if you add another route, as long as the traffic meets the criteria it will go through that route, the default route 0.0.0.0/0 will be used when there are no other routes available. In this case there is another route available, which is the one that goes over the Service Endpoint, so every and all traffic for Azure Storage will use that route and won't even consider touching the default route which goes over the internet. If you have that all your traffic is forced to pass through a single point, then can easily block whatever you want with a policy, or a firewall rule, or a proxy or whatever other means you have to do so.