Question 428 of 1,170
Implement and Manage Virtual NetworkingmediumMultiple ChoiceObjective-mapped

Azure Storage Service Endpoint vs Private Endpoint

This AZ-104 practice question tests your understanding of implement and manage virtual networking. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A web app in VNet1 must access a storage account by using a private IP address, and the storage account has public network access disabled. The app resolves the storage FQDN from inside the VNet. What should you deploy?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A private endpoint for the storage account and the required private DNS zone linkage.

A private endpoint assigns the storage account a private IP address from the VNet, enabling access via a private IP while public network access is disabled. The required private DNS zone linkage ensures the storage FQDN resolves to that private IP from within the VNet, meeting both requirements.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • A service endpoint on the subnet so the storage account gets a private IP.

    Why it's wrong here

    Service endpoints do not create a private IP for the storage account. Traffic still uses the service's public endpoint.

    When this WOULD be correct

    A service endpoint would be correct if the question required securing the storage account to accept traffic only from a specific VNet, without needing a private IP address, and public network access was enabled but restricted via firewall rules.

  • A private endpoint for the storage account and the required private DNS zone linkage.

    Why this is correct

    A private endpoint gives the storage account a private IP address inside the virtual network, which is exactly what the scenario requires. Because the app must resolve the storage FQDN from within the VNet, private DNS is also needed so name resolution points to the private address instead of the public endpoint. This is the standard design for fully private access to Azure Storage.

    Related concept

    Read the scenario before looking for a memorised answer.

  • A storage account firewall rule that allows the VNet and a public DNS record update.

    Why it's wrong here

    Firewall rules can restrict public access, but they do not provide private IP connectivity or change DNS resolution to a private address.

    When this WOULD be correct

    This option would be correct if the storage account had public network access enabled but restricted to specific VNets/subnets via firewall rules, and the app needed to resolve the storage FQDN to a public IP that is accessible only from the allowed VNet.

  • A SAS token created for the application service principal.

    Why it's wrong here

    A SAS token affects authorization, not network path or DNS behavior. It cannot make the storage endpoint private.

    When this WOULD be correct

    A SAS token would be correct in a scenario where a storage account has public network access enabled, and you need to grant time-limited, delegated access to a specific resource (e.g., a blob) to an application or service principal without sharing the account key.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The AZ-104 exam frequently reuses these exact scenarios with slightly different constraints.

A private endpoint for the storage account and the required private DNS zone linkage.Correct answer

Why this is correct

A private endpoint gives the storage account a private IP address inside the virtual network, which is exactly what the scenario requires. Because the app must resolve the storage FQDN from within the VNet, private DNS is also needed so name resolution points to the private address instead of the public endpoint. This is the standard design for fully private access to Azure Storage.

A service endpoint on the subnet so the storage account gets a private IP.Wrong answer — click to see why

Why this is wrong here

A service endpoint does not assign a private IP to the storage account; it only allows traffic from the VNet to the storage account's public endpoint. The requirement is for the app to access the storage account by a private IP address, which service endpoints cannot provide.

★ When this WOULD be the correct answer

A service endpoint would be correct if the question required securing the storage account to accept traffic only from a specific VNet, without needing a private IP address, and public network access was enabled but restricted via firewall rules.

Why candidates choose this

Candidates may confuse service endpoints with private endpoints, thinking both provide private IP connectivity, or they may not fully understand that service endpoints do not assign private IPs to the target service.

A storage account firewall rule that allows the VNet and a public DNS record update.Wrong answer — click to see why

Why this is wrong here

The storage account has public network access disabled, so a firewall rule allowing the VNet is irrelevant because the storage account cannot be accessed over the public endpoint at all. Additionally, a public DNS record update would not provide a private IP address for the storage account.

★ When this WOULD be the correct answer

This option would be correct if the storage account had public network access enabled but restricted to specific VNets/subnets via firewall rules, and the app needed to resolve the storage FQDN to a public IP that is accessible only from the allowed VNet.

Why candidates choose this

Candidates may think that a firewall rule combined with a DNS update is sufficient to restrict access to the VNet, not realizing that disabling public network access entirely requires a private endpoint for connectivity.

A SAS token created for the application service principal.Wrong answer — click to see why

Why this is wrong here

A SAS token provides delegated access to a storage account using the storage account's public endpoint, but the question states public network access is disabled and requires a private IP address. SAS tokens do not enable private IP connectivity.

★ When this WOULD be the correct answer

A SAS token would be correct in a scenario where a storage account has public network access enabled, and you need to grant time-limited, delegated access to a specific resource (e.g., a blob) to an application or service principal without sharing the account key.

Why candidates choose this

Candidates may confuse SAS tokens with a method to secure access, not realizing that SAS tokens still rely on the public endpoint and do not provide private IP connectivity.

Analysis generated from the official AZ-104blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is confusing service endpoints (which only provide source VNet identity and no private IP) with private endpoints (which provide a true private IP and DNS resolution), leading candidates to choose option A incorrectly.

Detailed technical explanation

How to think about this question

A private endpoint uses a network interface with a private IP from the VNet subnet, and the private DNS zone (privatelink.blob.core.windows.net) is linked to the VNet to override public DNS resolution. This setup ensures traffic stays within the Microsoft backbone and never traverses the public internet, which is critical for compliance and data exfiltration prevention.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

Visual reference

Client Recursive Resolver Root DNS (13 root servers) TLD DNS (.com, .org, …) Authoritative example.com query IP addr answer

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A private endpoint for the storage account and the required private DNS zone linkage. — A private endpoint assigns the storage account a private IP address from the VNet, enabling access via a private IP while public network access is disabled. The required private DNS zone linkage ensures the storage FQDN resolves to that private IP from within the VNet, meeting both requirements.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

4 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A storage account should accept traffic only from one subnet, but the team does not want to create a private IP address for the service in the virtual network. What should they enable?

easy
  • A.Private endpoint, because it is the only way to allow one subnet.
  • B.Service endpoint, because it allows the subnet to access the storage service securely over the Azure backbone.
  • C.User-assigned managed identity, because it controls subnet access.
  • D.Blob soft delete, because it helps restrict where traffic comes from.

Why B: Service endpoints allow a subnet to access Azure PaaS services (like Storage) over the Azure backbone without requiring a private IP address. By enabling a Microsoft.Storage service endpoint on the subnet and configuring the storage account firewall to allow traffic only from that subnet, the team meets the requirement securely and cost-effectively.

Variation 2. An application in AppSubnet must access an Azure Storage account over the public endpoint, but only traffic from that subnet should be allowed, and the traffic should stay on the Microsoft backbone. The administrator does not want to create a private IP for the service. Which two actions should be taken? Select two.

hard
  • A.Enable a service endpoint for Microsoft.Storage on AppSubnet.
  • B.Configure the storage account firewall to allow AppSubnet.
  • C.Create a private endpoint in AppSubnet.
  • D.Disable public network access on the storage account.
  • E.Assign a public IP address to the storage account.

Why A: Enabling a service endpoint for Microsoft.Storage on AppSubnet (Option A) allows traffic from that subnet to reach the Azure Storage account over the Microsoft backbone, bypassing the public internet. This satisfies the requirement that traffic stays on the Microsoft backbone without needing a private IP for the service.

Variation 3. An existing application in AppSubnet1 must access an Azure Storage account. The team does not want to add a private endpoint or change DNS records, but they do want to allow access only from AppSubnet1. Which configuration should the administrator use?

medium
  • A.Enable the Microsoft.Storage service endpoint on AppSubnet1 and restrict the storage account to selected virtual networks.
  • B.Create a private endpoint and remove all public network access from the storage account.
  • C.Add a network security group rule that allows outbound TCP 443 to the storage account.
  • D.Enable peering between AppSubnet1 and the storage account network.

Why A: Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet1 allows traffic from that subnet to be routed directly to the Azure Storage service over the Azure backbone network, bypassing the internet. By then restricting the storage account's firewall to 'selected virtual networks' and adding AppSubnet1's virtual network and subnet, access is limited exclusively to that subnet without needing a private endpoint or DNS changes.

Variation 4. An application in a subnet must access an Azure Storage account over a private IP. The storage account must not be reachable through its public endpoint, and access should be limited to that subnet only. Which configuration should the administrator implement?

medium
  • A.Create a service endpoint for Microsoft.Storage on the subnet and keep the public endpoint enabled.
  • B.Create a private endpoint in the subnet and disable public network access on the storage account.
  • C.Use a shared access signature token and leave network settings unchanged.
  • D.Associate the storage account with a NAT gateway to control inbound access.

Why B: Option B is correct because a private endpoint assigns a private IP from the subnet to the storage account, effectively bringing the service into the virtual network. Disabling public network access ensures the storage account is only reachable via that private endpoint, meeting the requirement to block public endpoint access and limit access to the specific subnet.

Keep practising

More AZ-104 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.