A team deployed a private endpoint for an Azure Storage account in VNet-A. The private endpoint is healthy, but VMs in VNet-A still resolve the storage account name to the public IP address. What should the administrator configure next?

Add a route table that sends storage traffic to the private endpoint.

Routing does not change name resolution. The VMs are failing to resolve the FQDN to the private address.

Create a network security group rule that allows outbound HTTPS.

An NSG rule may be necessary later, but it cannot change which IP address DNS returns for the storage name.

Enable service endpoints for Microsoft.Storage on the subnet.

Service endpoints are not required for private endpoint name resolution and still do not provide the private DNS mapping needed here.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Link the appropriate private DNS zone to VNet-A. — When a private endpoint is deployed, clients must resolve the service FQDN to the private endpoint IP. If they still get the public address, DNS is not pointing them to the private zone. Linking the private DNS zone to VNet-A provides the needed name resolution so the storage account name maps to the private IP. That is the key follow-up step after creating the private endpoint. Why others are wrong: A route table changes packet forwarding, not DNS answers. An NSG rule can allow or block traffic after resolution occurs, but it cannot alter the IP returned by the lookup. Service endpoints are a different connectivity model and do not fix private endpoint DNS behavior. The symptom is name resolution, so the correct fix is the private DNS zone link.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.