AZ-700 Question #50: Real Exam Question with Answer & Explanation

Question

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You have an Azure subscription that contains the following resources: - A virtual network named Vnet1 - A subnet named Subnet1 in Vnet1 - A virtual machine named VM1 that connects to Subnet1 - Three storage accounts named storage1, storage2, and storage3 You need to ensure that VM1 can access storage1. VM1 must be prevented from accessing any other storage accounts. Solution: You create a network security group (NSG) and associate the NSG to Subnet1. Does this meet the goal?

Options

• AYes
• BNo

Explanation

The answer is No - the proposed solution does not meet the requirements. This is part of a series where a specific solution was presented (likely configuring a Service Endpoint on Subnet1 for Azure Storage without also applying a network rule on storage1 to allow only that subnet, or similar). Simply enabling a service endpoint alone does not restrict VM1 to only storage1 - it allows access to ALL storage accounts in the region via the Microsoft backbone. To restrict VM1 to only storage1, you need both a service endpoint on the subnet AND a network rule on storage1 that allows only that subnet, while storage2 and storage3 must deny that subnet. Without the per-account network rules, the restriction goal is not achieved.

No community discussion yet for this question.