Question 752 of 1,170
Implement and Manage StoragemediumMultiple ChoiceObjective-mapped

Private Endpoint vs Service Endpoint — Restrict Storage Account to Subnet

This AZ-104 practice question tests your understanding of implement and manage storage. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A storage account must be reachable only from Azure VMs in a single subnet. Public network access should not be used, and the team wants the storage service to keep using a private IP address inside the virtual network. Which feature should the administrator configure?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A private endpoint for the storage account in the subnet.

A private endpoint assigns the storage account a private IP address from the subnet's address space, using Azure Private Link to route traffic entirely over the Microsoft backbone network. This ensures the storage account is reachable only from VMs in that subnet and blocks all public internet access, meeting both requirements.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • A service endpoint on the subnet, because it creates a private IP address for the storage account.

    Why it's wrong here

    Service endpoints improve secure routing to the service, but they do not give the storage account a private IP address in the VNet.

    When this WOULD be correct

    A service endpoint would be correct if the requirement is to restrict access to the storage account from a specific subnet while still using the public endpoint, and private IP addressing is not required.

  • A private endpoint for the storage account in the subnet.

    Why this is correct

    A private endpoint places the storage service on a private IP address inside the VNet, which matches the requirement to avoid public network access. It is the correct choice when the service should be reachable only through a private address.

    Related concept

    Read the scenario before looking for a memorised answer.

  • A shared access signature that is limited to the subnet.

    Why it's wrong here

    A SAS controls authorization, not network path or IP addressing. It cannot make the storage account use a private address in the subnet.

    When this WOULD be correct

    When the requirement is to grant time-limited, delegated access to a specific storage resource (e.g., a blob or file) for a client outside Azure, without exposing the storage account keys. For example, allowing a third-party application to read a file for 24 hours.

  • Storage account access keys, because they bind access to one subnet automatically.

    Why it's wrong here

    Access keys authenticate requests but do not restrict traffic to a subnet or alter the network path to private versus public endpoints.

    When this WOULD be correct

    A question asking how to securely share storage account access with a team member without using Azure AD, where the requirement is to provide full access to the storage account (not network-restricted), and the solution must involve regenerating keys periodically.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The AZ-104 exam frequently reuses these exact scenarios with slightly different constraints.

A private endpoint for the storage account in the subnet.Correct answer

Why this is correct

A private endpoint places the storage service on a private IP address inside the VNet, which matches the requirement to avoid public network access. It is the correct choice when the service should be reachable only through a private address.

A service endpoint on the subnet, because it creates a private IP address for the storage account.Wrong answer — click to see why

Why this is wrong here

Service endpoints do not assign a private IP address to the storage account; they provide direct connectivity from the subnet to the storage service over the Azure backbone, but the storage account still uses a public endpoint.

★ When this WOULD be the correct answer

A service endpoint would be correct if the requirement is to restrict access to the storage account from a specific subnet while still using the public endpoint, and private IP addressing is not required.

Why candidates choose this

Candidates may confuse service endpoints with private endpoints, thinking both provide private IP addresses, but only private endpoints assign a private IP from the subnet.

A shared access signature that is limited to the subnet.Wrong answer — click to see why

Why this is wrong here

A shared access signature (SAS) provides delegated access to storage resources, but it does not restrict network access to a specific subnet; it controls access via tokens, not network boundaries.

★ When this WOULD be the correct answer

When the requirement is to grant time-limited, delegated access to a specific storage resource (e.g., a blob or file) for a client outside Azure, without exposing the storage account keys. For example, allowing a third-party application to read a file for 24 hours.

Why candidates choose this

Candidates may think a SAS can be scoped to a subnet because it can include IP address restrictions, but those restrictions are for client IPs, not subnet-level network isolation.

Storage account access keys, because they bind access to one subnet automatically.Wrong answer — click to see why

Why this is wrong here

Storage account access keys do not restrict access to a specific subnet; they provide full administrative access to the storage account from any network location if the keys are known.

★ When this WOULD be the correct answer

A question asking how to securely share storage account access with a team member without using Azure AD, where the requirement is to provide full access to the storage account (not network-restricted), and the solution must involve regenerating keys periodically.

Why candidates choose this

Candidates may mistakenly believe that access keys inherently bind access to a specific subnet, confusing key-based authentication with network-level restrictions.

Analysis generated from the official AZ-104blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is confusing a service endpoint (which only provides source IP preservation and route optimization but leaves the public endpoint exposed) with a private endpoint (which truly removes public access by assigning a private IP).

Detailed technical explanation

How to think about this question

A private endpoint uses a network interface (NIC) in the subnet with a private IP from the VNet range, and DNS resolution is configured to resolve the storage account's FQDN to that private IP via a private DNS zone (e.g., privatelink.blob.core.windows.net). Traffic flows through Azure Private Link, bypassing the internet entirely, and the storage account's firewall must be set to 'Deny all' public access for the private endpoint to enforce exclusive private connectivity. In a real-world scenario, this is critical for compliance with regulations like PCI-DSS that require data exfiltration protection.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

Visual reference

192.168.1.0 /24 256 addresses (254 usable) 192.168.1.0 /25 Subnet A 128 addr (126 usable) 192.168.1.128 /25 Subnet B 128 addr (126 usable) Borrowing 1 bit from host portion creates 2 subnets (/25)

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Storage — This question tests Implement and Manage Storage — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A private endpoint for the storage account in the subnet. — A private endpoint assigns the storage account a private IP address from the subnet's address space, using Azure Private Link to route traffic entirely over the Microsoft backbone network. This ensures the storage account is reachable only from VMs in that subnet and blocks all public internet access, meeting both requirements.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

4 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A storage account must be reachable only from resources in one Azure subnet, and public network access should not be used. Which configuration best meets this requirement?

easy
  • A.Enable blob versioning on the storage account
  • B.Create a private endpoint for the storage account in the subnet
  • C.Assign a ReadOnly lock to the storage account
  • D.Enable a shared access signature

Why B: A private endpoint assigns the storage account a private IP address from the specified Azure subnet, effectively bringing the storage account into the virtual network. This ensures that all traffic to the storage account stays within the Microsoft Azure backbone network and never traverses the public internet, meeting the requirement to restrict access exclusively to resources in that subnet while disabling public network access.

Variation 2. A team wants an Azure Storage account to be reachable only from one subnet, but they do not want to use a private endpoint. Which two configurations should they use? Select two.

easy
  • A.Enable a Microsoft.Storage service endpoint on the subnet so the subnet can reach the storage service privately over the Azure backbone.
  • B.Add the subnet to the storage account's networking rules so only that subnet is allowed through the storage firewall.
  • C.Create a private endpoint and leave the firewall open to all networks so the subnet can be filtered later.
  • D.Assign Contributor on the storage account to the subnet, because Azure roles control which networks can connect.
  • E.Disable the public endpoint and rely on Internet routing, because that is the only way to limit access to one subnet.

Why A: Option A is correct because enabling a Microsoft.Storage service endpoint on the subnet extends the virtual network identity to the storage service, allowing traffic from that subnet to reach the storage account over the Azure backbone network without using a public IP. This ensures private connectivity from the subnet to the storage account while keeping the storage account's public endpoint enabled but restricted.

Variation 3. A team wants an Azure Storage account to be reachable only from a single Azure virtual network and to use a private IP address inside that network. Which option should the administrator configure?

easy
  • A.A service endpoint on the subnet.
  • B.A private endpoint for the storage account.
  • C.A public IP address with an NSG inbound allow rule.
  • D.A VPN gateway connection to the storage account.

Why B: A private endpoint assigns a private IP address from the virtual network to the storage account, making it reachable only from that VNet over the Microsoft backbone network. This meets the requirement of exclusive access and private IP usage, unlike a service endpoint which still exposes the storage account to the public internet via its public endpoint.

Variation 4. A team wants to restrict a storage account so only one Azure subnet can reach it. They do not need a private IP address, and they are fine with the storage account still using its public endpoint. Which configuration should the administrator use?

medium
  • A.Create a private endpoint and disable public network access.
  • B.Enable a service endpoint on the subnet and allow that subnet in the storage account firewall.
  • C.Generate a user delegation SAS token and distribute it only to the subnet.
  • D.Change the redundancy setting to ZRS and enable soft delete.

Why B: Option B is correct because a service endpoint extends the virtual network identity to the storage account over the public endpoint, allowing the administrator to restrict access to only traffic originating from that specific subnet via the storage account firewall. This meets the requirement of using the public endpoint while limiting access to a single Azure subnet without needing a private IP address.

Keep practising

More AZ-104 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.