HOTSPOT You have an Azure subscription that contains a storage account named storage1 and several virtual machines. The storage account and virtual machines are in the same Azure region. The network configurations of the virtual machines are shown in the following table. 
The virtual network subnets have service endpoints defined as shown in the following table. 
You configure the following Firewall and virtual networks settings for storage1: Allow access from: Selected networks Virtual networks: VNET3\Subnet3 Firewall – Address range: 52.233.129.0/24 For each of the following statements, select Yes if the statement is true. Otherwise, select No. 
Pretty sure about this since VM2’s public IP matches the allowed range in the storage firewall, while VM1 and VM3 aren't included in the permitted subnet rules. Real exam questions like this show up a lot. Official docs and practice sets cover these scenarios well.
Wait, so can VM3 actually reach storage1 if its subnet isn’t using the Microsoft.Storage endpoint? I thought just being in the right subnet wasn’t enough, you need both: allowed subnet and service endpoint. Or does Azure allow access anyway?
