A storage account must be reachable only from Azure VMs in a single subnet. Public network access should not be used, and the team wants the storage service to keep using a private IP address inside the virtual network. Which feature should the administrator configure?
A private endpoint places the storage service on a private IP address inside the VNet, which matches the requirement to avoid public network access. It is the correct choice when the service should be reachable only through a private address.
Why this answer
A private endpoint assigns the storage account a private IP address from the subnet's address space, using Azure Private Link to route traffic entirely over the Microsoft backbone network. This ensures the storage account is reachable only from VMs in that subnet and blocks all public internet access, meeting both requirements.
Exam trap
The trap here is confusing a service endpoint (which only provides source IP preservation and route optimization but leaves the public endpoint exposed) with a private endpoint (which truly removes public access by assigning a private IP).
How to eliminate wrong answers
Option A is wrong because a service endpoint does not create a private IP address for the storage account; it only extends the VNet identity to the service, leaving the storage account with a public endpoint that is reachable from the internet. Option C is wrong because a shared access signature (SAS) is a token for delegated access to storage resources, not a network access control; it cannot restrict access to a specific subnet. Option D is wrong because storage account access keys are global credentials that grant full access to the storage account from any network source; they do not bind access to a single subnet automatically.