Microsoft Azure Security Engineer Associate AZ-500 Practice Question
Your company uses an Azure Storage account named diagstore to collect diagnostic logs. The account must reject all traffic except from two virtual networks in the subscription. In addition, Azure Monitor must continue to write platform metrics to diagstore. You have created firewall rules that allow only the required VNets and blocked public network access. Which additional setting should you configure on diagstore to meet the requirement?
Enable the "Allow trusted Microsoft services to bypass the firewall" setting on the storage account.
Enable Azure Private Link for diagstore and set the routing preference to Microsoft network.
Add the public IP address ranges used by Azure Monitor as individual firewall rules.
Configure a service endpoint policy that targets Microsoft.Storage on each virtual network.
Azure Monitor is one of the services classified by Microsoft as a "trusted Microsoft service." When the setting "Allow trusted Microsoft services to bypass the firewall" is enabled on a storage account, these services can reach the account even when public network access is denied and only selected VNets are allowed. Service endpoint policies do not allow a service itself to bypass a storage firewall. Adding Azure Monitor's public IP ranges is unnecessary and brittle, because IPs may change. Enabling Private Link for the storage account would require Azure Monitor to also use a Private Endpoint, which it does not; therefore, it would block the ingestion path. Enabling the trusted-service bypass is the only configuration that satisfies the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are trusted Microsoft services in the context of Azure storage firewalls?
Open an interactive chat with Bash
How does Azure Monitor interact with storage accounts when firewall rules are in place?
Open an interactive chat with Bash
Why can't service endpoint policies or Private Link alone satisfy the Azure Monitor requirement?
Open an interactive chat with Bash
Microsoft Azure Security Engineer Associate AZ-500
Secure networking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .