An on-premises application connects to Azure through an existing site-to-site VPN. The application must access an Azure Blob Storage account over a private IP, and the storage account must not accept public network traffic. Which configuration should the administrator deploy?
A private endpoint gives the storage account a private IP address inside a VNet. Because the on-premises network already reaches Azure through a site-to-site VPN, on-prem clients can reach that private IP over the encrypted tunnel, provided DNS is also configured to resolve the private name correctly. This satisfies both goals: private connectivity and no public network access to the storage account.
Why this answer
Option B is correct because a private endpoint assigns the storage account a private IP from an Azure VNet, making it accessible over the site-to-site VPN without traversing the public internet. This satisfies the requirement for private IP access and allows the storage account to block all public network traffic by disabling public network access in the firewall settings.
Exam trap
The trap here is that candidates often confuse service endpoints with private endpoints, assuming both provide private IP access, but only private endpoints remove the public endpoint entirely, which is necessary when public network access must be disabled.
How to eliminate wrong answers
Option A is wrong because a service endpoint does not assign a private IP to the storage account; it only extends the VNet identity to the service, and the storage account still uses a public endpoint, which conflicts with the requirement to not accept public network traffic. Option C is wrong because a NAT gateway provides outbound internet connectivity for a subnet, not inbound private access to a storage account, and it does not affect the storage account's public endpoint. Option D is wrong because an application security group (ASG) is a network security group (NSG) filter for VMs or NICs, not a resource that can be applied to a storage account to control network access.