Microsoft Azure Security Engineer Associate AZ-500 Practice Question
VNet1 in East US contains a subnet named AppSubnet where VMs upload data to several Azure Storage accounts. You must make sure that traffic from AppSubnet to the storage accounts travels across the Microsoft backbone, and that the storage accounts can be configured to reject connections not coming from AppSubnet. You cannot assign private IPs to the storage accounts or change their DNS. Which feature should you enable on AppSubnet?
Enable a virtual network service endpoint for Microsoft.Storage on AppSubnet.
Associate a NAT gateway with AppSubnet to provide a static outbound IP.
Create a private endpoint for each storage account and link a private DNS zone.
Deploy an Azure Firewall and configure DNAT rules to forward storage traffic.
A virtual network service endpoint for Microsoft.Storage extends the identity of AppSubnet to the Azure Storage service. After the endpoint is enabled, traffic from the subnet to any storage account in the same region is routed over the Microsoft backbone rather than the public Internet. You can then add the subnet to each storage account's network rules so that connections from other locations are denied. The storage accounts keep their public IP addresses and existing DNS records, so no private IP assignment or custom DNS is required.
Private endpoints would also secure the traffic but would assign private IPs and require Private DNS integration, which the scenario disallows. A NAT gateway provides outbound SNAT only and does not let the storage account distinguish traffic sources. Deploying an Azure Firewall with DNAT rules would not eliminate Internet traversal and would add unnecessary complexity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a virtual network service endpoint in Azure?
Open an interactive chat with Bash
How does enabling a service endpoint improve security for Azure Storage?
Open an interactive chat with Bash
Why can't private endpoints be used in this scenario?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure networking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .