Question

You have an Azure subscription that contains a storage account named storage1 and the following virtual machines:

VM1 has a public IP address of 13.68.158.24 and is connected to VNET1/Subnet1
VM2 has a public IP address of 52.255.145.76 and is connected to VNET1/Subnet1
VM3 has a public IP address of 13.68.158.50 and is connected to VNET1/Subnet2
The subnets have the following service endpoints:

Subnet1 has a Microsoft.Storage service endpoint
Subnet2 does NOT have any service endpoint
Storage1 has a firewall configured to allow access from the 13.68.158.0/24 IP address range only.

You need to identify which virtual machines can access storage1.

What should you identify?

Select only one answer.

VM1 only

VM3 only

VM1 and VM2 only

VM1 and VM3 only

VM1, VM2, and VM3

Answer 1

VM1 and VM2 can access storage1 because they are in the allowed IP range and connected to a subnet with a Microsoft.Storage service endpoint, while VM3, though in the range, is on a subnet without the service endpoint.

Step-by-step explanation:

To identify which virtual machines can access storage1, we should consider both the network configuration and the storage firewall rules. storage1 has a firewall that only allows access from the IP address range 13.68.158.0/24. Both VM1 and VM2 are within this IP address range and are connected to Subnet1, which has a Microsoft.Storage service endpoint enabled. This ensures that traffic to Azure Storage is optimized for low latency and travels over the Azure backbone network. VM3, although it has an IP address within the allowed range, is connected to Subnet2 which does not have a service endpoint for Microsoft.Storage; therefore, it is not guaranteed direct access to storage1.

Therefore, the virtual machines that can access storage1 are VM1 and VM2 only.

Answer 2

VM1 and VM2 have public IP addresses within the allowed firewall range and are connected to a subnet with the required service endpoint, while VM3 is not. Therefore, VM1 and VM2 can access storage1, but VM3 cannot.

Step-by-step explanation:

To determine which virtual machines can access storage1, we need to consider both the network configuration and the firewall settings of the storage account. The firewall of storage1 is configured to allow access from the IP address range 13.68.158.0/24 only. Here's the breakdown:

VM1 has a public IP address within the allowed range and is connected to Subnet1 which has the Microsoft.Storage service endpoint enabled.

VM2 also has a different public IP address but still within the allowed range and is connected to the same subnet as VM1, which means it has access to the Microsoft.Storage service endpoint as well.

VM3, despite having a public IP within the allowed range, is connected to Subnet2 which does NOT have any service endpoint, and hence it cannot access storage1 through a service endpoint.

Therefore, both VM1 and VM2 can access storage1 but VM3 cannot due to the lack of a service endpoint on its subnet.