AZ-500 Question #20: Real Exam Question with Answer & Explanation

Question

You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1. You create a service endpoint for Subnet1. Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04. You need to deploy Docker containers to VM1. The containers must be able to access Azure Storage resources and Azure SQL databases by using the service endpoint.

Options

• ACreate an application security group and a network security group (NSG).
• BEdit the docker-compose.yml file.
• CInstall the container network interface (CNI) plug-in.

Explanation

Explanation

Installing the Container Network Interface (CNI) plug-in is correct because Docker containers running on a VM do not automatically inherit the VM's network configuration, including service endpoints. The CNI plug-in bridges the container networking layer with the host VM's virtual network, allowing containers to route traffic through the service endpoint to reach Azure Storage and Azure SQL databases securely.

Option A is wrong because Application Security Groups and NSGs control traffic filtering and access rules at the VM/subnet level - they do not enable containers to use a service endpoint for outbound connectivity to Azure PaaS services.

Option B is wrong because docker-compose.yml is used to define and configure multi-container applications (services, volumes, networks), not to integrate container networking with Azure virtual network service endpoints.

🧠 Memory Tip

Think of it this way: CNI = Container Network Integration with Azure's virtual network. Just as you need a driver to connect hardware to an OS, you need the CNI plug-in to connect Docker containers to Azure's VNet infrastructure - including service endpoints. If a question involves containers needing VNet-aware networking on an Azure VM, CNI plug-in is almost always the answer.

No community discussion yet for this question.