HOTSPOT
-
You have an Azure subscription that is linked to an Azure AD tenant and contains the virtual machines shown in the following table.
The subnets of the virtual networks have the service endpoints shown in the following table.
You create the resources shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Yes, No, No is correct
YNY Connections from VM1 to storage1 always use IP address 10.1.1.5. Yes: VM1 is connected to VNET1/Subnet1 Connections from VM2 to Vault1 always use IP address 20.224.219.230. No: VM2 will use its private IP address within the VNET to connect to Vault1 since both are within the same VNET (VNET1) and there is a service endpoint for Microsoft.KeyVault in VNET1/Subnet2. We are trying to use the Microsoft Backbone Network. Authentication from VM3 to the tenant uses either IP address 10.11.1.5 or 40.122.155.212. Yes: VM3 can use its private IP for internal Azure traffic but would use its public IP for communication over the internet, such as authentication with Azure services that are not part of the VNET.
Question does not say tenant part of Vnet then it will use public ip, you say it also in your last statement and you choose Yes for third one
Good explanation in following link https://stackoverflow.com/questions/73769449/azure-difference-between-service-endpoint-and-private-endpoint-in-simple-terms
THEY ARE REFERENCING A SERVICE ENDPOINT, NOT A PRIVATE ENDPOINT. THE ANSWERS ARE : N, Y, Y connections from VM1 to STORAGE 1 will always use PUBLIC IP connection from VM2 to VAULT 1 will always use PUBLIC IP authentication from VM3 to TENANT can use either PRIVATE or PUBLIC because it has no SERVICE ENDPOINT. Knew this already but the diagram here outlines it perfectly: https://stackoverflow.com/questions/73769449/azure-difference-between-service-endpoint-and-private-endpoint-in-simple-terms
The link provided seems to suggest that the default (NO Private Endpoint or Service Endpoint configured) would use the Public IP address of the VM. Would this NOT make item#3 = NO - since 10.11.1.5 is not an option for the communicate. Questions asks 10.11.1.5 OR 40.122.155.212 - according to the link 10.11.1.5 is not an option.
Just noticed this also... the link seems to suggest that when using a Service Endpoint the source IP address of the VM uses the Private IP. That would potentially change Item#2. Can anyone provide clarification?
Misunderstood. Long studying sessions can make you tired :-) If the VMs use Service Endpoints, they utilize their private IP to then communicate with the public storage account. 1: Yes: VM1 uses the Service Endpoint and therefore utilizes the private IP address. 2: No: VM2 also uses the Service Endpoint and therefore utilizes the private IP address. 3: Yes: VM3 can use its private IP for internal Azure traffic but would use its public IP for communication over the internet, such as authentication with Azure services that are not part of the VNET. The virtual machine will use its private IP to communicate with the public endpoint of the storage account. Other reference: Difference between private endpoint and service endpoint.
Why do you chose Yes for the third one even you say vm will use public ip only with tenant.
On an exam on 7/8/23, agree with the answer provided.
I would go for Y,N,Y. 1. You connect to a Service Endpoint (Storage1) therefore you’ll use the private IP as outgoing. So the answer is Yes 2. You connect to a Service Endpoint (Vault1) Therefore you’ll use the private IP as outgoing. So the answer is No. 3. This is a wild guess, I would say both It might depend where to authenticate to. So I would go for Yes.
To support the question. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview Virtual Network (VNet) service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet. The Microsoft.AzureActiveDirectory tag listed under services supporting service endpoints is used only for supporting service endpoints to ADLS Gen 1. Microsoft Entra ID doesn't support service endpoints natively. Answer = Y- N-N
They still travel internally when going to another service endpoint in your tenant the service vs private is just that the service is also publicly routable if needed vs a private is only internal. Answers are Correct
what is the correct answer?