Technical Lab: Create service endpoints
Questionsβ
Question 1 β Multiple Choiceβ
A development team needs to ensure that an Azure storage account accepts traffic only from a specific subnet of a VNet. The administrator enables the Service Endpoint for Microsoft.Storage on the subnet and configures the network rule on the storage account.
What is the direct effect of enabling the Service Endpoint on the subnet?
A. Traffic is now routed through a private IP address allocated within the VNet for the storage service.
B. The subnet now uses the optimized route to the service's public endpoint, and the source IP address presented to the service is the VM's private IP.
C. A private IP address of the service is injected into the subnet via Private Endpoint link, eliminating the need for firewall rules.
D. Outbound traffic is blocked to the internet and redirected exclusively to the Microsoft backbone via NAT gateway.
Question 2 β Technical Scenarioβ
A VM in subnet-app (VNet vnet-prod, region East US) needs to access a storage account in the same region. The administrator configured the following:
Subnet: subnet-app
Service Endpoint enabled: Microsoft.Storage
Storage account:
- Firewall: Selected networks
- Virtual networks: vnet-prod / subnet-app β ADDED
During testing, the VM can access the storage account normally. However, a second VM in subnet-db, within the same VNet, cannot access the same account, even without NSG rules blocking the traffic.
What is the most likely cause of the failure?
A. The Service Endpoint was enabled only on subnet-app; since subnet-db doesn't have the endpoint configured, its traffic still exits through the public IP and is blocked by the account's firewall.
B. The Service Endpoint is a VNet feature and, once enabled, applies automatically to all subnets; the problem is that the network rule wasn't saved correctly.
C. Different subnets require different VNets for the Service Endpoint to work independently.
D. The absence of a UDR (User Defined Route) in subnet-db prevents traffic from reaching the service endpoint.
Question 3 β True or Falseβ
Statement: When enabling a Service Endpoint on a subnet, traffic destined for the associated service no longer passes through the public internet and now travels exclusively through the Microsoft backbone, even if the destination account has no network rules configured to restrict access by VNet.
Is Service Endpoint traffic routed through the backbone regardless of the destination resource's firewall settings?
- True
- False
Question 4 β Multiple Choiceβ
An architect evaluates whether to use Service Endpoints or Private Endpoints to protect access to an Azure SQL Database from a corporate VNet. After analysis, decides to use Private Endpoint.
What characteristic of Private Endpoints justifies this choice over Service Endpoints, considering the requirement that the service should not be accessible by any public path, even briefly?
A. Private Endpoints allow enabling access from multiple subnets simultaneously, while Service Endpoints require individual configuration per subnet.
B. With Private Endpoints, the resource receives a private IP within the VNet and can have its public access completely disabled at the service control plane, eliminating exposure through the public endpoint.
C. Service Endpoints don't support Azure SQL Database, making Private Endpoints the only available option for this service.
D. Private Endpoints use Microsoft Entra ID for mutual authentication, eliminating the need for network-based firewall rules.
Question 5 β Technical Scenarioβ
An administrator needs to enable the Service Endpoint for Microsoft.KeyVault on an existing subnet that already has VMs in production. He executes the following command:
az network vnet subnet update \
--vnet-name vnet-prod \
--name subnet-app \
--resource-group rg-network \
--service-endpoints Microsoft.KeyVault
After execution, he observes that the VMs on the subnet experienced a brief network connectivity interruption.
What is the most precise cause of this behavior?
A. The command recreated the subnet from scratch, forcing IP reallocation for all VMs.
B. The subnet update to add Service Endpoints causes a reconfiguration in the host's network programming, causing a brief interruption in existing TCP connections of affected VMs.
C. Azure requires all network interfaces to be deallocated before modifying Service Endpoints on subnets with active resources, and the command forced this automatically.
D. The interruption occurred because Key Vault temporarily blocked connections while validating the new traffic source from the Service Endpoint.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
When a Service Endpoint is enabled on a subnet, two effects occur simultaneously: the route to the service is optimized to pass through the Microsoft backbone instead of the public internet, and the source IP address presented to the service is the VM's private IP, not the VNet's public IP.
The main misconception represented by the incorrect alternatives is confusing Service Endpoint with Private Endpoint. Alternative A describes the behavior of a Private Endpoint, which actually injects a private IP within the VNet. Alternative C describes exactly this Private Endpoint mechanism. Alternative D confuses Service Endpoint with NAT Gateway, which is an internet outbound resource.
Service Endpoints don't create private IPs for the service; they only change the traffic path and the source identity presented to the destination resource.
Answer Key β Question 2β
Answer: A
Service Endpoints are enabled per subnet, not per VNet. Each subnet that needs to communicate with the protected service must have the endpoint enabled individually, and the destination resource's network rule must include that subnet explicitly.
Since subnet-db doesn't have the endpoint enabled, traffic originating from it still exits through the VNet's public IP and reaches the storage account's firewall as external traffic, being blocked by the "Selected networks" policy.
Alternative B represents the most common misconception: imagining that the Service Endpoint is a VNet attribute and propagates to all subnets automatically. Alternative D confuses the need for UDR with Service Endpoints functionality; custom routes are not required for the endpoint to work on the correct subnet.
Answer Key β Question 3β
Answer: True
This statement is true and represents a non-obvious behavior of Service Endpoints. Routing through the Microsoft backbone is a consequence of enabling the endpoint on the subnet and occurs independently of any configuration on the destination resource.
What the resource's firewall rules control is access authorization: if the storage account is configured to accept all networks (default behavior), the traffic will arrive and be accepted. If it's configured for selected networks without including the subnet, the traffic will arrive through the backbone but be rejected at the authorization layer.
Therefore, routing and authorization are distinct planes: the Service Endpoint controls the path, while the resource's network rules control access.
Answer Key β Question 4β
Answer: B
The central distinction is that Private Endpoints allow completely disabling public access to the resource at the service level. With this, Azure SQL Database becomes accessible exclusively through the private IP injected into the VNet, and any attempt to access through the public endpoint is rejected before even reaching the authentication layer.
With Service Endpoints, the service's public endpoint continues to exist and be active; what changes is that the firewall rule restricts which sources can use it. This means the public endpoint remains technically exposed, albeit controlled by policy.
Alternative C is false: Microsoft.Sql is one of the supported Service Endpoint types. Alternative D is incorrect because Private Endpoints don't use Microsoft Entra ID as a network access control mechanism; authentication to the service is independent of the type of network connectivity adopted.
Answer Key β Question 5β
Answer: B
Enabling a Service Endpoint on an existing subnet requires Azure to reprogram the routing policies and network rules at the hypervisor/host level for all VMs on that subnet. This process causes a brief interruption in established TCP connections, as the underlying network programming is updated in real time.
This behavior is documented by Microsoft and should be considered when planning endpoint enablement on production subnets, preferably during maintenance windows.
Alternative A is false: subnets are not recreated and IPs are not reallocated. Alternative C is false: Azure doesn't automatically deallocate network interfaces for this operation. Alternative D is false: Key Vault doesn't actively participate in the subnet endpoint enablement process; the interruption occurs at the host's network layer, not at the destination service.