- A
A service endpoint on the subnet so the storage account gets a private IP.
Why wrong: Service endpoints do not create a private IP for the storage account. Traffic still uses the service's public endpoint.
- B
A private endpoint for the storage account and the required private DNS zone linkage.
A private endpoint gives the storage account a private IP address inside the virtual network, which is exactly what the scenario requires. Because the app must resolve the storage FQDN from within the VNet, private DNS is also needed so name resolution points to the private address instead of the public endpoint. This is the standard design for fully private access to Azure Storage.
- C
A storage account firewall rule that allows the VNet and a public DNS record update.
Why wrong: Firewall rules can restrict public access, but they do not provide private IP connectivity or change DNS resolution to a private address.
- D
A SAS token created for the application service principal.
Why wrong: A SAS token affects authorization, not network path or DNS behavior. It cannot make the storage endpoint private.
Azure Storage Service Endpoint vs Private Endpoint
This AZ-104 practice question tests your understanding of implement and manage virtual networking. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A web app in VNet1 must access a storage account by using a private IP address, and the storage account has public network access disabled. The app resolves the storage FQDN from inside the VNet. What should you deploy?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
A private endpoint for the storage account and the required private DNS zone linkage.
A private endpoint assigns the storage account a private IP address from the VNet, enabling access via a private IP while public network access is disabled. The required private DNS zone linkage ensures the storage FQDN resolves to that private IP from within the VNet, meeting both requirements.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
A service endpoint on the subnet so the storage account gets a private IP.
Why it's wrong here
Service endpoints do not create a private IP for the storage account. Traffic still uses the service's public endpoint.
When this WOULD be correct
A service endpoint would be correct if the question required securing the storage account to accept traffic only from a specific VNet, without needing a private IP address, and public network access was enabled but restricted via firewall rules.
- ✓
A private endpoint for the storage account and the required private DNS zone linkage.
Why this is correct
A private endpoint gives the storage account a private IP address inside the virtual network, which is exactly what the scenario requires. Because the app must resolve the storage FQDN from within the VNet, private DNS is also needed so name resolution points to the private address instead of the public endpoint. This is the standard design for fully private access to Azure Storage.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
A storage account firewall rule that allows the VNet and a public DNS record update.
Why it's wrong here
Firewall rules can restrict public access, but they do not provide private IP connectivity or change DNS resolution to a private address.
When this WOULD be correct
This option would be correct if the storage account had public network access enabled but restricted to specific VNets/subnets via firewall rules, and the app needed to resolve the storage FQDN to a public IP that is accessible only from the allowed VNet.
- ✗
A SAS token created for the application service principal.
Why it's wrong here
A SAS token affects authorization, not network path or DNS behavior. It cannot make the storage endpoint private.
When this WOULD be correct
A SAS token would be correct in a scenario where a storage account has public network access enabled, and you need to grant time-limited, delegated access to a specific resource (e.g., a blob) to an application or service principal without sharing the account key.
Option-by-option analysis
Why each answer is right or wrong
Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The AZ-104 exam frequently reuses these exact scenarios with slightly different constraints.
✓A private endpoint for the storage account and the required private DNS zone linkage.Correct answer▾
Why this is correct
A private endpoint gives the storage account a private IP address inside the virtual network, which is exactly what the scenario requires. Because the app must resolve the storage FQDN from within the VNet, private DNS is also needed so name resolution points to the private address instead of the public endpoint. This is the standard design for fully private access to Azure Storage.
✗A service endpoint on the subnet so the storage account gets a private IP.Wrong answer — click to see why▾
Why this is wrong here
A service endpoint does not assign a private IP to the storage account; it only allows traffic from the VNet to the storage account's public endpoint. The requirement is for the app to access the storage account by a private IP address, which service endpoints cannot provide.
★ When this WOULD be the correct answer
A service endpoint would be correct if the question required securing the storage account to accept traffic only from a specific VNet, without needing a private IP address, and public network access was enabled but restricted via firewall rules.
Why candidates choose this
Candidates may confuse service endpoints with private endpoints, thinking both provide private IP connectivity, or they may not fully understand that service endpoints do not assign private IPs to the target service.
✗A storage account firewall rule that allows the VNet and a public DNS record update.Wrong answer — click to see why▾
Why this is wrong here
The storage account has public network access disabled, so a firewall rule allowing the VNet is irrelevant because the storage account cannot be accessed over the public endpoint at all. Additionally, a public DNS record update would not provide a private IP address for the storage account.
★ When this WOULD be the correct answer
This option would be correct if the storage account had public network access enabled but restricted to specific VNets/subnets via firewall rules, and the app needed to resolve the storage FQDN to a public IP that is accessible only from the allowed VNet.
Why candidates choose this
Candidates may think that a firewall rule combined with a DNS update is sufficient to restrict access to the VNet, not realizing that disabling public network access entirely requires a private endpoint for connectivity.
✗A SAS token created for the application service principal.Wrong answer — click to see why▾
Why this is wrong here
A SAS token provides delegated access to a storage account using the storage account's public endpoint, but the question states public network access is disabled and requires a private IP address. SAS tokens do not enable private IP connectivity.
★ When this WOULD be the correct answer
A SAS token would be correct in a scenario where a storage account has public network access enabled, and you need to grant time-limited, delegated access to a specific resource (e.g., a blob) to an application or service principal without sharing the account key.
Why candidates choose this
Candidates may confuse SAS tokens with a method to secure access, not realizing that SAS tokens still rely on the public endpoint and do not provide private IP connectivity.
Analysis generated from the official AZ-104blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is confusing service endpoints (which only provide source VNet identity and no private IP) with private endpoints (which provide a true private IP and DNS resolution), leading candidates to choose option A incorrectly.
Detailed technical explanation
How to think about this question
A private endpoint uses a network interface with a private IP from the VNet subnet, and the private DNS zone (privatelink.blob.core.windows.net) is linked to the VNet to override public DNS resolution. This setup ensures traffic stays within the Microsoft backbone and never traverses the public internet, which is critical for compliance and data exfiltration prevention.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
Visual reference
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Implement and Manage Virtual Networking — study guide chapter
Learn the concepts, then practise the questions
- →
Implement and Manage Virtual Networking practice questions
Targeted practice on this topic area only
- →
All AZ-104 questions
1,170 questions across all exam domains
- →
AZ-104 study guide
Full concept coverage aligned to exam objectives
- →
AZ-104 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related AZ-104 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Manage Azure Identities and Governance practice questions
Practise AZ-104 questions linked to Manage Azure Identities and Governance.
Implement and Manage Storage practice questions
Practise AZ-104 questions linked to Implement and Manage Storage.
Deploy and Manage Azure Compute practice questions
Practise AZ-104 questions linked to Deploy and Manage Azure Compute.
Implement and Manage Virtual Networking practice questions
Practise AZ-104 questions linked to Implement and Manage Virtual Networking.
Monitor and Maintain Azure Resources practice questions
Practise AZ-104 questions linked to Monitor and Maintain Azure Resources.
AZ-104 Azure RBAC practice questions
Practise AZ-104 questions linked to AZ-104 Azure RBAC.
AZ-104 storage account practice questions
Practise AZ-104 questions linked to AZ-104 storage account.
AZ-104 virtual network practice questions
Practise AZ-104 questions linked to AZ-104 virtual network.
AZ-104 NSG practice questions
Practise AZ-104 questions linked to AZ-104 NSG.
AZ-104 Azure Monitor practice questions
Practise AZ-104 questions linked to AZ-104 Azure Monitor.
AZ-104 backup practice questions
Practise AZ-104 questions linked to AZ-104 backup.
AZ-104 managed identity practice questions
Practise AZ-104 questions linked to AZ-104 managed identity.
Practice this exam
Start a free AZ-104 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this AZ-104 question test?
Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: A private endpoint for the storage account and the required private DNS zone linkage. — A private endpoint assigns the storage account a private IP address from the VNet, enabling access via a private IP while public network access is disabled. The required private DNS zone linkage ensures the storage FQDN resolves to that private IP from within the VNet, meeting both requirements.
What should I do if I get this AZ-104 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
4 more ways this is tested on AZ-104
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A storage account should accept traffic only from one subnet, but the team does not want to create a private IP address for the service in the virtual network. What should they enable?
easy- A.Private endpoint, because it is the only way to allow one subnet.
- ✓ B.Service endpoint, because it allows the subnet to access the storage service securely over the Azure backbone.
- C.User-assigned managed identity, because it controls subnet access.
- D.Blob soft delete, because it helps restrict where traffic comes from.
Why B: Service endpoints allow a subnet to access Azure PaaS services (like Storage) over the Azure backbone without requiring a private IP address. By enabling a Microsoft.Storage service endpoint on the subnet and configuring the storage account firewall to allow traffic only from that subnet, the team meets the requirement securely and cost-effectively.
Variation 2. An application in AppSubnet must access an Azure Storage account over the public endpoint, but only traffic from that subnet should be allowed, and the traffic should stay on the Microsoft backbone. The administrator does not want to create a private IP for the service. Which two actions should be taken? Select two.
hard- ✓ A.Enable a service endpoint for Microsoft.Storage on AppSubnet.
- ✓ B.Configure the storage account firewall to allow AppSubnet.
- C.Create a private endpoint in AppSubnet.
- D.Disable public network access on the storage account.
- E.Assign a public IP address to the storage account.
Why A: Enabling a service endpoint for Microsoft.Storage on AppSubnet (Option A) allows traffic from that subnet to reach the Azure Storage account over the Microsoft backbone, bypassing the public internet. This satisfies the requirement that traffic stays on the Microsoft backbone without needing a private IP for the service.
Variation 3. An existing application in AppSubnet1 must access an Azure Storage account. The team does not want to add a private endpoint or change DNS records, but they do want to allow access only from AppSubnet1. Which configuration should the administrator use?
medium- ✓ A.Enable the Microsoft.Storage service endpoint on AppSubnet1 and restrict the storage account to selected virtual networks.
- B.Create a private endpoint and remove all public network access from the storage account.
- C.Add a network security group rule that allows outbound TCP 443 to the storage account.
- D.Enable peering between AppSubnet1 and the storage account network.
Why A: Option A is correct because enabling the Microsoft.Storage service endpoint on AppSubnet1 allows traffic from that subnet to be routed directly to the Azure Storage service over the Azure backbone network, bypassing the internet. By then restricting the storage account's firewall to 'selected virtual networks' and adding AppSubnet1's virtual network and subnet, access is limited exclusively to that subnet without needing a private endpoint or DNS changes.
Variation 4. An application in a subnet must access an Azure Storage account over a private IP. The storage account must not be reachable through its public endpoint, and access should be limited to that subnet only. Which configuration should the administrator implement?
medium- A.Create a service endpoint for Microsoft.Storage on the subnet and keep the public endpoint enabled.
- ✓ B.Create a private endpoint in the subnet and disable public network access on the storage account.
- C.Use a shared access signature token and leave network settings unchanged.
- D.Associate the storage account with a NAT gateway to control inbound access.
Why B: Option B is correct because a private endpoint assigns a private IP from the subnet to the storage account, effectively bringing the service into the virtual network. Disabling public network access ensures the storage account is only reachable via that private endpoint, meeting the requirement to block public endpoint access and limit access to the specific subnet.
Keep practising
More AZ-104 practice questions
- A storage automation service principal must upload, read, and delete blob data in one container by using Microsoft Entra…
- A subnet contains several application servers. You need to allow inbound TCP 3389 only from a management subnet named Su…
- A subscription admin wants to investigate who changed a resource and also review the platform-generated events for that…
- Based on the exhibit, which Azure feature should the administrator use to track this kind of platform-wide service issue…
- An administrator wants a script running on an Azure VM to create a resource in Azure without storing any passwords or cl…
- A PowerShell script runs on an Azure VM every night and uses Azure CLI commands to create tags and VM resources in anoth…
Last reviewed: Jun 11, 2026
This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.