HOTSPOT You have an Azure subscription that contains a storage account named storage1 and several virtual machines. The storage account and virtual machines are in the same Azure region. The network configurations of the virtual machines are shown in the following table. 
The virtual network subnets have service endpoints defined as shown in the following table. 
You configure the following Firewall and virtual networks settings for storage1: Allow access from: Selected networks Virtual networks: VNET3\Subnet3 Firewall – Address range: 52.233.129.0/24 For each of the following statements, select Yes if the statement is true. Otherwise, select No. 
Pretty sure about this since VM2’s public IP matches the allowed range in the storage firewall, while VM1 and VM3 aren't included in the permitted subnet rules. Real exam questions like this show up a lot. Official docs and practice sets cover these scenarios well.
VM1 - NO; VM2 - YES; VM3 - NO. VM2 gets in because its public IP fits the firewall rule, but only VNET3/Subnet3 is allowed for virtual networks, and that subnet doesn't even have a Storage endpoint. I think that's right, correct me if you see something I'm missing.
