nerdexam
ExamsAZ-500Questions#409
MicrosoftMicrosoft

AZ-500 · Question #409

AZ-500 Question #409: Real Exam Question with Answer & Explanation

This question tests knowledge of Azure Cosmos DB firewall rules, virtual network service endpoints, and private endpoints - specifically how they control access from Azure virtual machines to a Cosmos DB account.

Submitted by fatima_kr· Mar 6, 2026Secure networking

Question

Hotspot Question You have an Azure subscription that contains the virtual machines shown in the following table. You have an Azure Cosmos DB account named cosmos1 configured as shown in the following exhibit. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Options

  • __typehotspot
  • variantyes_no

Explanation

This question tests knowledge of Azure Cosmos DB firewall rules, virtual network service endpoints, and private endpoints - specifically how they control access from Azure virtual machines to a Cosmos DB account.

Approach. Azure Cosmos DB can restrict access using IP firewall rules, virtual network (VNet) service endpoints, and private endpoints. When a Cosmos DB account is configured with 'Selected networks' and specific VNet/subnet rules, only VMs in those approved subnets can access Cosmos DB via the service endpoint. VMs in subnets not listed in the firewall rules are blocked. If a private endpoint is configured, access is routed through the private IP within the VNet, bypassing public network rules. To determine Yes/No for each statement, check: (1) whether the VM's subnet has a service endpoint or private endpoint configured for the Cosmos DB account, (2) whether the subnet is listed in Cosmos DB's virtual network firewall rules, and (3) whether the 'Allow access from Azure portal' or 'Allow access from my IP' toggles are enabled. A VM whose subnet is NOT listed in the allowed networks and has no private endpoint will be DENIED access (No), while a VM in an approved subnet with the service endpoint enabled will be GRANTED access (Yes).

Concept tested. Azure Cosmos DB network security - virtual network service endpoints, IP firewall rules, and private endpoint configurations controlling VM access to Cosmos DB accounts.

Reference. https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-vnet-service-endpoint

Topics

#Azure Cosmos DB#Virtual networks#Service endpoints#Firewall rules

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-500 PracticeBrowse All AZ-500 Questions