Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 432

DRAG DROP

-

You have an on-premises datacenter.

You have an Azure subscription that contains a virtual machine named VM1. VM1 is connected to a virtual network named VNet1. VNet1 is connected to the on-premises datacenter by using a Site-to-Site (S2S) VPN.

You plan to create an Azure storage account named storage1 and deploy an Azure web app named App1.

You need to ensure that network communication to each resource meets the following requirements:

• Connections to App1 must be allowed only from corporate network NAT addresses.

• Connections from VNet1 to storage1 must use the Microsoft backbone network.

• The solution must minimize costs.

What should you configure for each resource? To answer, drag the appropriate components to the correct resources. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
Yesvanth1

The solution must minimize costs: Private Endpoint & Private Link costs more. So: 1) Service Endpoint, 2) Access Restriction Rules.

basak

service endpoint use backbone while private endpoint bring resource locally inside vnet. private endpoint cost more

vxl

1: Service Endpoint 2: Access restriction rules

c12

storage1: Private endpoint App1: Private link https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

_punky_

To sum those answers up: Private endpoint needs to be created to establish to be able communicate with the service where you pay by in and out bound data. Also this service needs to have an IP in subnet. Not every service can be accessed by private link. Access to only single resource(only created endpoint to single service). Service endpoint has no costs and all services can be accessed via service endpoint - also to office services. Leveraging private IP to access AZ services by using public IP through AZ backbone. Acess to all resources. 1: Service endpoint 2: Access restriction rules App1: Access Restriction Rules - No where does it state that you are required to connect via MS backbone, and you also need to only restrict on-prem NAT addresses. Using the Access Restriction Rules on the Webapp achieves exactly that for free which also minimizes cost.(Copied from previous ans from Shachar_Nativ)

ITFranz

Pricing and limits There's no extra charge for using service endpoints. The current pricing model for Azure services (Azure Storage, Azure SQL Database, etc.) applies as-is today. There's no limit on the total number of service endpoints in a virtual network. Certain Azure services, such as Azure Storage Accounts, may enforce limits on the number of subnets used for securing the resource. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-services-to-virtual-networks

wardy1983

storage1: Private endpointApp1: Private link https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints

ITFranz

To support the answer for App1. https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. The list can include IP addresses or Azure Virtual Network subnets. When there are one or more entries, an implicit deny all exists at the end of the list. Answer = 1) Service Endpoint, 2) Access Restriction Rules.

JaridB

Provide answers are correct 1. Service Endpoint 2. Access Restriction Rules

epomatti

"Access Restriction Rules" are for Public IP addresses. There is no integration with network or on-premises. Additionally, in App Services, VNET integration is only for outbound connections. https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions?tabs=azurecli

LekkerZomer

How is traffic being sent when using Private Link? Traffic is sent privately using Microsoft backbone. So there you have it. Answer is right, vote me up :-) https://learn.microsoft.com/en-us/azure/private-link/private-link-faq

Shachar_Nativ

Storage1: Private Endpoint - Although Service Endpoint is cheaper, it is required to connect via MS backbone. Private Endpoint achieves that by connecting the VM's Private IP to the Storage's Private IP, while Service Endpoint connects VM's Private IP to the Storage's Public IP in a nutshell. App1: Access Restriction Rules - No where does it state that you are required to connect via MS backbone, and you also need to only restrict on-prem NAT addresses. Using the Access Restriction Rules on the Webapp achieves exactly that for free which also minimizes cost.