ExpertMedium1 markMultiple Choice
AZ-305 · Question 50 · Domain 4.4: Network Solutions
You have an Azure Virtual Network (VNet) containing several Virtual Machines.
The VMs need to access an Azure Storage account to read configuration files. The security team mandates that traffic between the VNet and the Storage account must NOT traverse the public internet. Furthermore, the VMs must only be able to access this specific Storage account, and access to any other Azure Storage accounts must be blocked at the network level.
Which feature should you implement?
You have an Azure Virtual Network (VNet) containing several Virtual Machines.
The VMs need to access an Azure Storage account to read configuration files. The security team mandates that traffic between the VNet and the Storage account must NOT traverse the public internet. Furthermore, the VMs must only be able to access this specific Storage account, and access to any other Azure Storage accounts must be blocked at the network level.
Which feature should you implement?
Answer options:
A.
Service Endpoints
B.
Azure Private Link (Private Endpoint)
C.
Network Security Groups (NSGs) with Service Tags
D.
VNet Peering
How to approach this question
Differentiate between Service Endpoints (grants access to the whole service) and Private Endpoints (grants access to a specific resource instance).
Full Answer
B.Azure Private Link (Private Endpoint)✓ Correct
Azure Private Link (Private Endpoint)
Azure Private Link (via Private Endpoints) is the most secure way to connect to Azure PaaS services. It assigns a private IP address from your VNet directly to the specific Azure Storage account. This ensures traffic never leaves the private network. Crucially, because the connection is mapped to a specific resource instance, it inherently prevents data exfiltration to other storage accounts. Service Endpoints, by default, open the VNet to all instances of the service.
Common mistakes
Choosing Service Endpoints. While Service Endpoints keep traffic on the Azure backbone, they do not easily restrict access to a *single* storage account without additional complex configurations.
Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 2
55 questions · hints · full answers · grading
More questions from this exam
Q01Fabrikam Inc. is a global financial services company with 200 Azure subscriptions managed via a c...HardQ02A healthcare organization has 500 on-premises Windows Server VMs and 300 Azure VMs. They are impl...HardQ03You are designing a security monitoring solution using Microsoft Sentinel.
The compliance depar...EasyQ04Your company has a microservices application deployed across multiple Azure App Service instances...MediumQ05A defense contractor is migrating to Microsoft 365 and Azure. They have a strict security policy ...Hard