Question 726 of 1,170
Implement and Manage StorageeasyMultiple ChoiceObjective-mapped

Quick Answer

The correct configuration is to create a service endpoint on the subnet and a storage firewall rule that allows that specific subnet. This works because the service endpoint extends the virtual network’s identity to the storage account, ensuring that traffic from the subnet is tagged with the subnet’s source IP, while the firewall rule then explicitly permits only that tagged traffic, effectively locking down the public endpoint to that single subnet without needing a private endpoint. On the AZ-104 exam, this scenario tests your understanding of network segmentation and service endpoints versus private endpoints—a common trap is assuming a private endpoint is required when the question explicitly states the public endpoint must remain in use. Remember the key distinction: service endpoints secure the public endpoint by subnet identity; private endpoints give the resource a private IP. Memory tip: “Service endpoint secures the public path; private endpoint creates a private lane.”

AZ-104 Implement and Manage Storage Practice Question

This AZ-104 practice question tests your understanding of implement and manage storage. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A storage account must accept traffic only from a single subnet. The team wants to keep using the storage account's public endpoint and does not want to deploy a private endpoint. What should you configure?

Question 1easymultiple choice
Review the full subnetting walkthrough →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A service endpoint on the subnet and a storage firewall rule that allows that subnet

Option B is correct because a service endpoint on the subnet extends the virtual network identity to the storage account, and a storage firewall rule that allows that subnet restricts access to only traffic originating from that subnet. This meets the requirement of using the public endpoint without deploying a private endpoint, as the storage account's public endpoint remains accessible but is locked down to the specified subnet via the firewall rule.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • A private endpoint and private DNS zone

    Why it's wrong here

    A private endpoint creates private IP access, which the team explicitly does not want to use.

  • A service endpoint on the subnet and a storage firewall rule that allows that subnet

    Why this is correct

    A service endpoint lets the subnet reach the storage account over the public endpoint while the firewall restricts access to that subnet only.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Read-access geo-redundant storage (RA-GRS)

    Why it's wrong here

    RA-GRS is a redundancy setting and does not control which subnet can connect to the account.

  • Archive access tier for the container

    Why it's wrong here

    The access tier affects blob retrieval cost and speed, not which network can reach the storage account.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse service endpoints with private endpoints, assuming that restricting access to a subnet requires a private endpoint, but service endpoints with firewall rules achieve the same goal using the public endpoint.

Detailed technical explanation

How to think about this question

Service endpoints work by adding the subnet's identity to the traffic via route optimization and enabling the storage firewall to filter based on the source subnet's virtual network ID, not just the public IP. The storage firewall rule uses the subnet's resource ID in the format /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}, ensuring that only traffic from that specific subnet is allowed. In a real-world scenario, this is ideal for workloads that need to avoid private endpoint costs or complexity while still enforcing network segmentation.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Storage — This question tests Implement and Manage Storage — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A service endpoint on the subnet and a storage firewall rule that allows that subnet — Option B is correct because a service endpoint on the subnet extends the virtual network identity to the storage account, and a storage firewall rule that allows that subnet restricts access to only traffic originating from that subnet. This meets the requirement of using the public endpoint without deploying a private endpoint, as the storage account's public endpoint remains accessible but is locked down to the specified subnet via the firewall rule.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

6 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A storage account should accept requests only from a specific virtual network subnet in Azure. The team does not want traffic to reach the public endpoint from the internet. What should the administrator configure?

easy
  • A.Enable anonymous blob access
  • B.Add a storage network rule for the subnet or use a private endpoint
  • C.Move the container to the Archive tier
  • D.Assign the Contributor role to the subnet

Why B: Option B is correct because Azure storage accounts can restrict access to specific virtual network subnets using service endpoints or private endpoints. A storage network rule for the subnet allows traffic only from that subnet, while a private endpoint maps the storage account to a private IP in the VNet, completely bypassing the public endpoint. This ensures no internet traffic reaches the public endpoint, meeting the requirement.

Variation 2. A web app in a subnet must access a storage account through the storage account's public FQDN. Access must be limited to that single subnet, and the team does not want to deploy a private endpoint or manage private DNS records. Which configuration should you use?

hard
  • A.Deploy a private endpoint and private DNS zone.
  • B.Enable a service endpoint on the subnet and allow that subnet in the storage account network rules.
  • C.Add a route table that sends storage traffic to an NVA.
  • D.Place the storage account behind a public load balancer.

Why B: Option B is correct because a service endpoint on the subnet allows the web app to access the storage account via its public FQDN while restricting access to that specific subnet. By enabling the Microsoft.Storage service endpoint on the subnet and adding the subnet's virtual network rule to the storage account's network rules, traffic from the subnet to the storage account's public endpoint is routed through the Azure backbone network, and only traffic from that subnet is permitted. This meets the requirement of limiting access without deploying a private endpoint or managing private DNS records.

Variation 3. A team wants to allow a subnet to access a storage account only from that subnet, but they do not want to create a private endpoint or change DNS. The storage account should still be reachable through its public endpoint, just not from other networks. What should the administrator configure?

medium
  • A.A private endpoint for the storage account and a private DNS zone.
  • B.A public IP address for the subnet and a storage account firewall exception.
  • C.A service endpoint on the subnet and a storage firewall rule allowing that subnet.
  • D.An NSG rule that permits outbound TCP 443 to the storage account.

Why C: Option C is correct because a service endpoint on the subnet extends the virtual network identity to the storage account, allowing the storage firewall to restrict access to traffic originating from that specific subnet. This ensures the storage account remains reachable via its public endpoint, but only from the configured subnet, without requiring a private endpoint or DNS changes.

Variation 4. An application on a VM in subnet AppSubnet must access a storage account over the public endpoint. The security team wants to allow traffic only from AppSubnet and does not want to deploy a private endpoint. What should the administrator configure?

medium
  • A.Disable the storage account firewall and rely on the VM's source IP address.
  • B.Enable the Microsoft.Storage service endpoint on AppSubnet and allow that virtual network in the storage account firewall.
  • C.Create a private endpoint and leave the firewall set to allow all networks.
  • D.Grant the VM Contributor access to the storage account and the network rule will be enforced automatically.

Why B: Option B is correct because enabling a Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to the storage account over the Azure backbone network, while still using the public endpoint. Then, configuring the storage account firewall to allow that virtual network restricts access exclusively to AppSubnet, meeting the security requirement without deploying a private endpoint.

Variation 5. An application runs on an Azure VM in a subnet and must access a storage account over the public endpoint without using a private IP address. The administrator wants to restrict access so only that subnet can reach the account. What should be configured?

medium
  • A.Create a private endpoint for the storage account and disable the public endpoint.
  • B.Enable a service endpoint for Microsoft.Storage on the subnet and add the subnet to the storage account network rules.
  • C.Allow trusted Microsoft services to bypass the firewall.
  • D.Add a user-defined route that points storage traffic to the virtual network gateway.

Why B: Option B is correct because a service endpoint for Microsoft.Storage extends the virtual network identity to the subnet, allowing the storage account firewall to accept traffic from that subnet via its public endpoint. This meets the requirement of restricting access to the storage account's public endpoint without using a private IP address.

Variation 6. Based on the exhibit, the security team wants AppSubnet to access an Azure Storage account through the public endpoint, but only that subnet should be allowed. They do not want a private IP or DNS changes. What should the administrator configure?

medium
  • A.Enable the Microsoft.Storage service endpoint on AppSubnet and add AppSubnet as a network rule on the storage account.
  • B.Create a private endpoint for the storage account and disable public access.
  • C.Attach a route table that sends storage traffic to the internet.
  • D.Grant the subnet a Reader role assignment on the storage account.

Why A: Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet allows traffic from that subnet to reach the storage account over the Azure backbone network using the public endpoint, without requiring a private IP or DNS changes. Adding AppSubnet as a network rule on the storage account restricts access exclusively to that subnet, fulfilling the security team's requirement.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.