You have an Azure subscription that contains an Azure key vault named Vault1 and a virtual machine named VM1.
VM1 is connected to a virtual network named VNet1.
You need to allow access to Vault1 only from VM1.
What should you do in the Networking settings of Vault1?
To allow access to Vault1 only from VM1, you should add the IP address of VM1 in the Firewalls and virtual networks tab of Vault1. This restricts access only to the specific IP address assigned to VM1, ensuring no other machines have access, which fulfills the requirement of allowing access solely from VM1.
A: Correct, only allows access from VM1 to KV. B: Incorrect, there is no VM option at the creation of the Endpoint; https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource C: Incorrect, only VM1 is allowed, rest of the Vnet is disallowed. D: This overrules FW rules created, but is not the question.
the link below shows that you can static IPs, IP ranges, or vnets and subnets. It recommends using vnets if VMs are the target, but in this question we don't know what other resources are under vnet1 so A is the safer option https://learn.microsoft.com/en-us/azure/key-vault/general/network-security
STOP ASKING CHAT GPT. ITS ALWAYS WRONG. THE CORRECT ANSWER IS A. YOU LIMIT THAT ONE IP TO CONNECT TO KEY VAULT THE SAME WAY YOU WOULD LIMIT CONNECTIVITY TO A STORAGE ACCT. ALL THE PRIVATE ENDPOINT DOES IS ALLOW INBOUND CONNECTION TO THE KEY VAULT FROM WITHIN THE AZURE ENVIRONMENT ONLY AND THAT IS AS LONG THE PEERING AND ROUTING IS SETUP CORRECTLY IF NEEDED.
Many people say that it is A (VM's IP). They are not saying if that VM has static or dynamic IP. In networking, we have private link option to allow specifically that VM.
I forgot the link anyway. https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal
B doesn't fulfill the requirement to ONLY allow access from VM1. Private endpoint won't block connections from other hosts. So the answer is A.
The question is very specific, and says ONLY from VM1, we don't know if there are more machines on VNET1, but if we add VNET1, any machine from VNT!could access it and it would defeat the purpose of the question. "You need to allow access to Vault1 ONLY from VM1". I'm going with A
Agreed, it very clearly says only VM1 in the question making A correct.
Similar question
I think this is defenately will use Private endpoint. Let me explain why, questions says VM1 connected to vnet1 , we need to give access only from vm1 not for entire vnet. Many people confuse with option A, no it is not . In the firewall and virtual networks settings you can not choose specific vm which is connected to vnet1. However, private endpoint grants access only for one private ip address from the virtual network that is why here answer is A.
Tricky question, must be A. as we only need to allow connection from VM1, and nobody else so connection will need to be over Pip(Public IP)
Tested in lab Cannot be A. Private IPs (NET) cannot be added to Firewalls and virtual networks tab (permitted only public IPs) Message Invalid value found at properties.networkAcls.ipRules[0].value: 10.44.2.4/32 belongs to forbidden range 10.0.0.0–10.255.255.255 (private IP addresses) Cannot be C. It's working but all VNET traffic is permitted.
Okay.. but private endpoint can be used for allow multiple resources to connect KV. It seems this question doesn't provide much more info. You need to have public ip address plus service endpoint configured in subnet if you consider answer A
I think both A and B can do the work. A = VM1 > Vault1 by IP address B = VM1 >VNet > Private Endpoint > Vault1. But B is more secure for sure. I will go for B.
From the Firewalls and virtual networks tab, add the IP address of VM1.
Only VM1 - Not the VNET
Answer is: B I asked ChatGPT and here is the answer: "To allow access to Vault1 only from VM1, you should do the following in the Networking settings of Vault1: B. From the Private endpoint connections tab, create a private endpoint for VM1. Creating a private endpoint for VM1 will enable private and secure communication between VM1 and Vault1. This approach ensures that only VM1, which has a private endpoint, can access the resources in Vault1. This is a more secure method than simply allowing an IP address or a virtual network because it leverages Azure Private Link to establish a secure connection. Options A, C, and D do not provide the same level of security and access control as using a private endpoint. Option A allows access based on an IP address, which can be less secure. Option C adds the entire virtual network, potentially allowing more resources than just VM1 to access Vault1. Option D allows trusted Microsoft services to bypass the firewall, but it doesn't restrict access to VM1 specifically."
if the question is ambiguous, ChatGPT doesn't know either.
C is correct
Why not add the IP address of VM in the FW section of Key Vault? I would only select C if we assume the VM has an assigned dynamic IP. If we do not make this assumption, "A" would be my option as you would give higher restrictive access to the Key Vault, as you would not allow any other, future added, resource access to the Key Vault.
So what do you do when this is done at scale? - and do you then add static ip's to vm's ? I don't think so. Therefore C is correct!
Just VM1 needs to access the KeyVault, not any other resource that could be created in VNET1. So I think the answer is still "A".
In a real-world scenario - you would be correct. This is a Microsoft certification exam with a specific use case for a single VM. While I agree this isn't practical for most applications, "A" will be the correct answer for this exam.
C is correct