You are deploying a batch processing application to Azure Container Instances (ACI). The application processes multiple files from an Azure Blob Storage container and writes results to another container. Each container instance processes a single file and then exits. The processing logic is written in a Docker image that reads input and output connection strings from environment variables. You need to configure the container group so that it writes the results to the output container durably and efficiently. The environment variables must be provided at runtime but must not be exposed in the ACI configuration. Which approach should you use?

Mount an Azure File Share volume for the output container and configure the application to write output files to a directory on that share. Store the connection string for the file share in a secure fashion using Key Vault and pass it as an environment variable.

While using Azure File Share is durable, the requirement is to write results back to Blob Storage (output container), not a file share. Also, the application is designed to use Blob Storage SDK, not file system I/O.

Embed the storage account connection string directly into the Docker image during build time and rely on the container's environment to provide the output blob container name.

Embedding secrets in a Docker image is insecure and makes rotation difficult. It also violates the principle of least privilege.

Set the storage account connection string as an environment variable in the ACI container group definition (YAML or ARM template) and have the application use it at runtime.

Setting secrets as environment variables in the ACI configuration exposes them in the deployment artifacts and logs. This is not secure; secrets should be retrieved from a secure store like Key Vault.

What does this AZ-204 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Use a managed identity for the container group, grant the identity access to an Azure Key Vault secret that contains the storage account connection string. The application retrieves the secret at startup using the managed identity and then writes directly to Azure Blob Storage. — To provide environment variables securely, use Azure Key Vault with managed identity. ACI supports mounting secrets from Key Vault as environment variables using managed identity. For output storage, the container can use the connection string from environment variable to write directly to Blob Storage. Alternatively, using Azure File Share mount is for persistent file system storage, but the output is already being written to Blob Storage via the SDK. The best approach is to use managed identity and Key Vault for secrets, and then the application writes directly to Azure Storage using those credentials. Option B correctly describes using managed identity to access Key Vault to get the storage connection string, and then writing to Blob Storage via the SDK. Option A suggests mounting a volume which is unnecessary. Option C suggests using a custom container image with hardcoded secrets, insecure. Option D suggests using environment variables directly in the ACI YAML, which exposes them in the configuration. So correct is B.

What should I do if I get this AZ-204 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.