Exam AZ-500 All QuestionsBrowse all questions from this exam
Go to Exam
Question 430

HOTSPOT

-

You have an Azure Subscription that is connected to an on-premises datacenter and contains the resources shown in the following table.

You need to configure virtual network service endpoints for VNet1 and VNet2. The solution must meet the following requirements:

• The virtual machines that connect to the subnet of VNet1 must access storage1, storage2, and Azure AD by using the Microsoft backbone network.

• The virtual machines that connect to the subnet of VNet2 must access storage1 and KeyVault1 by using the Microsoft backbone network.

• The virtual machines must use the Microsoft backbone network to communicate between VNet1 and VNet2.

How many service endpoints should you configure for each virtual network? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

    Correct Answer:

Discussion
Kb80

VNet1: 1 > Microsoft.Storage only. VNet2: 2 > Microsoft.Storage and Microsoft.KeyVault Service endpoints are enabled for the entire service not per instance of a service. They are enabled per Vnet and subnet. Azure AD does not have a service endpoint currently. For Azure Storage you can additionally use a service endpoint policy to control access to specific storage instances within a subnet. https://jeffbrown.tech/azure-private-service-endpoint/ https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services#compare-private-endpoints-and-service-endpoints https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoint-policies-overview

Alexbz

VNet1 : 2 VNet2 : 2 Vnet1 has one subnet (the virtual machines that connect to THE SUBNET of VNet1...), then we need one service endpoint for Storage1 and 2 and one service endpoint for Azure AD.

hellboycze

Your answer is right despite you mentioned service endpoint for Azure AD which is not required

hfk2020

Tested in Lab it's 1 and 2 The Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1 https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

Malikusmanrasheed

Service endpoint is per service, per vnet. There is no service endpoint for azure AD. Vnet 1=2 One for each storage Vnet 2=2 One for storage, one for key vault

Malikusmanrasheed

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview#secure-azure-services-to-virtual-networks Forgot to paste the link about services covered by service endpoints

Jimmy500

Here we need to carefully read the question for the vnet 1 it says we need to access storage1 and storage2, as we know when we create service endpoint, we can use one service endpoint for different storage accounts, or we can use one service endpoint for different key vault or other services where we can use service endpoint. In the first statement it says “Vnet1’s members needs to access to storage 1 and 2 this means we can create one service endpoint and achieve the given statement”. For the second statement we have key vault and storage account in this case we need to create 2 different sep (service endpoint) Between vnet communication we do not have to create sep. My answer is 1,2

Jimmy500

Hi guys, while doing MS learning test I identified that we can use service endpoint for the Entra ID as well that is why for the first one answer definately will be 2 as well. I am really sorry for this but let's at least correct our mistakes. Please refer here: A service endpoint is configured for a specific server at the subnet level. Based on the requirements, you need to configure two service endpoints for Microsoft.Storage on VNet1 because VNet1 has two subnets and three service endpoints for Microsoft.AzureActiveDirectory on VNet2 because VNet2 has three subnets. The minimum number of service endpoints that you must configure is five. Azure virtual network service endpoints | Microsoft Learn Plan and implement security for virtual networks - Training | Microsoft Learn

_punky_

The ans is correct: 1 and 2 AD is using agent inside VM to connect to Azure AD **Steps for AD connection** Create or Select an Azure VM: You need to have an Azure VM running. If you don't have one, you can create a new VM from the Azure Portal, Azure CLI, or Azure PowerShell. Configure Azure AD Authentication for the VM: This can be done in a few different ways, but one common method is to use the Azure AD extension for Linux or Windows VMs. Here's how to do it: For Windows VMs: For Windows VMs, you can install and configure the Azure AD Connect service to establish a connection between your VM and Azure AD. You can follow these steps: Install the Azure AD Connect agent on the Windows VM. Register the VM with Azure AD using the Azure AD Connect agent. Configure the VM to use Azure AD credentials for login.

heatfan900

2, 2 VNET 1 requires two. One for SA1 and SA2 via a STORAGE TAG and one for AD. VNET 2 requires two. One for SA1 and one for KV1. The VNETs will communicate via the MICROSOFT BACKBONE NETWORK by being Peered, No Service Endpoint required.

Ario

2 service endpoint for each VNet1: Service Endpoint for Azure Storage: 2 endpoints (storage1 and storage2) Service Endpoint for Azure Active Directory (Azure AD): 1 endpoint VNet2: Service Endpoint for Azure Storage: 1 endpoint (storage1) Service Endpoint for Azure Key Vault: 1 endpoint (KeyVault1)

Ario

Service endpoints are specific to Azure services like Azure Storage and Azure Key Vault, but not for Azure AD.

billo79152718

VNet1: 1 VNet2: 2

liorh

why? can you explain

bxlin

Vnet1 -1 Vnet2 -2 The Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Microsoft Entra ID doesn't support service endpoints natively.

Nava702

Microsoft.AzureActiveDirectory tag exists for authentications to Entra ID. So it is 2 Service Endpoints for each VNET. https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview

erffre

• The virtual machines that connect to the subnet of VNet1 must access storage1, storage2, and Azure AD by using the Microsoft backbone network. • The virtual machines that connect to the subnet of VNet2 must access storage1 and KeyVault1 by using the Microsoft backbone network. • The virtual machines must use the Microsoft backbone network to communicate between VNet1 and VNet2. Vnet1 never connects to KeyVault, so billo79152718 is right i guess. Never heard of Azure Ad Service endpoint. Will check on that.