Topic: AZ-500 topic 4 question 100

You have an Azure subscription that contains an Azure key vault named Vault1 and a virtual machine named VM1.

VM1 is connected to a virtual network named VNet1.

You need to allow access to Vault1 only from VM1.

What should you do in the Networking settings of Vault1?

A.
From the Firewalls and virtual networks tab, add the IP address of VM1.
B.
From the Private endpoint connections tab, create a private endpoint for VM1.
C.
From the Firewalls and virtual networks tab, add VNet1.
D.
From the Firewalls and virtual networks tab, set Allow trusted Microsoft services to bypass this firewall to Yes for Vault1.

Re: AZ-500 topic 4 question 100

A: Correct, only allows access from VM1 to KV.
B: Incorrect, there is no VM option at the creation of the Endpoint;
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview#private-link-resource
C: Incorrect, only VM1 is allowed, rest of the Vnet is disallowed.
D: This overrules FW rules created, but is not the question.

Re: AZ-500 topic 4 question 100

the link below shows that you can static IPs, IP ranges, or vnets and subnets. It recommends using vnets if VMs are the target, but in this question we don't know what other resources are under vnet1 so A is the safer option

https://learn.microsoft.com/en-us/azure/key-vault/general/network-security

Re: AZ-500 topic 4 question 100

STOP ASKING CHAT GPT. ITS ALWAYS WRONG.

THE CORRECT ANSWER IS A. YOU LIMIT THAT ONE IP TO CONNECT TO KEY VAULT THE SAME WAY YOU WOULD LIMIT CONNECTIVITY TO A STORAGE ACCT.

ALL THE PRIVATE ENDPOINT DOES IS ALLOW INBOUND CONNECTION TO THE KEY VAULT FROM WITHIN THE AZURE ENVIRONMENT ONLY AND THAT IS AS LONG THE PEERING AND ROUTING IS SETUP CORRECTLY IF NEEDED.

Re: AZ-500 topic 4 question 100

Tested in lab

Cannot be A.
Private IPs (NET) cannot be added to  Firewalls and virtual networks tab
(permitted only public IPs)
Message
Invalid value found at properties.networkAcls.ipRules[0].value: 10.44.2.4/32 belongs to forbidden range 10.0.0.0–10.255.255.255 (private IP addresses)

Cannot be C.
It's working but all VNET traffic is permitted.

Re: AZ-500 topic 4 question 100

Okay.. but private endpoint can be used for allow multiple resources to connect KV. It seems this question doesn't provide much more info. You need to have public ip address plus service endpoint configured in subnet if you consider answer A

Re: AZ-500 topic 4 question 100

I think both A and B can do the work.
A = VM1 > Vault1 by IP address
B = VM1 >VNet > Private Endpoint > Vault1.
But B is more secure for sure. I will go for B.

Re: AZ-500 topic 4 question 100

Many people say that it is A (VM's IP). They are not saying if that VM has static or dynamic IP. In networking, we have private link option to allow specifically that VM.

Re: AZ-500 topic 4 question 100

I forgot the link anyway.

https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal

Re: AZ-500 topic 4 question 100

B doesn't fulfill the requirement to ONLY allow access from VM1. Private endpoint won't block connections from other hosts. So the answer is A.

Re: AZ-500 topic 4 question 100

From the Firewalls and virtual networks tab, add the IP address of VM1.

Re: AZ-500 topic 4 question 100

Only VM1 - Not the VNET

Re: AZ-500 topic 4 question 100

Answer is: B

I asked ChatGPT and here is the answer:
"To allow access to Vault1 only from VM1, you should do the following in the Networking settings of Vault1:

B. From the Private endpoint connections tab, create a private endpoint for VM1.

Creating a private endpoint for VM1 will enable private and secure communication between VM1 and Vault1. This approach ensures that only VM1, which has a private endpoint, can access the resources in Vault1. This is a more secure method than simply allowing an IP address or a virtual network because it leverages Azure Private Link to establish a secure connection.

Options A, C, and D do not provide the same level of security and access control as using a private endpoint. Option A allows access based on an IP address, which can be less secure. Option C adds the entire virtual network, potentially allowing more resources than just VM1 to access Vault1. Option D allows trusted Microsoft services to bypass the firewall, but it doesn't restrict access to VM1 specifically."

Re: AZ-500 topic 4 question 100

if the question is ambiguous, ChatGPT doesn't know either.

Re: AZ-500 topic 4 question 100

Agreed, it very clearly says only VM1 in the question making A correct.

Re: AZ-500 topic 4 question 100

The question is very specific, and says ONLY from VM1, we don't know if there are more machines on VNET1, but if we add VNET1, any machine from VNT!could access it and it would defeat the purpose of the question.
"You need to allow access to Vault1 ONLY from VM1".
I'm going with A

Re: AZ-500 topic 4 question 100

C is correct

Re: AZ-500 topic 4 question 100

Why not add the IP address of VM in the FW section of Key Vault? I would only select C if we assume the VM has an assigned dynamic IP. If we do not make this assumption, "A" would be my option as you would give higher restrictive access to the Key Vault, as you would not allow any other, future added, resource access to the Key Vault.

Re: AZ-500 topic 4 question 100

So what do you do when this is done at scale? - and do you then add static ip's to vm's ? I don't think so. Therefore C is correct!

Re: AZ-500 topic 4 question 100

Just VM1 needs to access the KeyVault, not any other resource that could be created in VNET1. So I think the answer is still "A".

Re: AZ-500 topic 4 question 100

In a real-world scenario - you would be correct.  This is a Microsoft certification exam with a specific use case for a single VM.  While I agree this isn't practical for most applications, "A"  will be the correct answer for this exam.

Re: AZ-500 topic 4 question 100

C is correct

  • Cock
  • New member
  • Offline

Re: AZ-500 topic 4 question 100

Similar question