Courseiva
AZ-204
Full test
mediummultiple choiceObjective-mapped

You need to restrict access to an Azure Storage account so that only a specific subnet of a virtual network can access the data. Additionally, you need to allow management access from the Azure portal (e.g., to view containers). Which configuration should you apply?

Question 1mediummultiple choice
Full question →

You need to restrict access to an Azure Storage account so that only a specific subnet of a virtual network can access the data. Additionally, you need to allow management access from the Azure portal (e.g., to view containers). Which configuration should you apply?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Distractor review

Configure IP firewall rules to allow the subnet IP range and add the Azure portal's public IP addresses.

This is possible but less secure and harder to maintain as portal IPs can change. Also, it does not use network security boundary of the virtual network.

B

Best answer

Configure a service endpoint for Microsoft.Storage on the subnet and add a firewall rule to allow the subnet, then enable 'Allow trusted Microsoft services'.

Service endpoint provides secure connectivity from the subnet. The trusted Microsoft services exception allows portal management while keeping the firewall restricted.

C

Distractor review

Configure a private endpoint for the storage account and disable public network access.

Private endpoint would also work but is more complex to set up and is not required if only subnet access and portal management are needed.

D

Distractor review

Configure IP ACLs to allow the subnet and also allow all Azure services.

Allowing all Azure services is overly permissive and does not leverage the virtual network boundary.

Common exam trap

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Technical deep dive

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Related practice questions

Related AZ-204 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

AZ-204 fundamentals practice questions

Practise AZ-204 questions linked to AZ-204 fundamentals.

AZ-204 scenario practice questions

Practise AZ-204 questions linked to AZ-204 scenario.

AZ-204 troubleshooting practice questions

Practise AZ-204 questions linked to AZ-204 troubleshooting.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

An application stores customer invoices in Azure Blob Storage. Deleted blobs must be recoverable for 14 days. What should be enabled?

Question 2

You are deploying a containerized application to Azure Container Instances. The application requires a custom domain name and SSL/TLS termination. You need to configure these features. Which resource should you create alongside the container group?

Question 3

A developer needs to run a Kusto query against application request data to identify 95th percentile latency by operation. Where should the query be run? The architecture review board prefers a managed AWS-native control.

Question 4

You are developing a web app that authenticates users via Microsoft Entra ID. The app needs to read the user's profile and send emails on their behalf. You want to minimize user consent prompts. Which OAuth 2.0 grant type should you use?

Question 5

You are developing an Azure Function that processes messages from an Azure Service Bus queue. The function uses a Service Bus queue trigger and runs on a Consumption Plan. The queue receives a high volume of messages in bursts. You need to ensure that the function scales out to handle the load but does not exceed 10 concurrent instances. Which configuration should you apply?

Question 6

You are monitoring an Azure App Service using Application Insights. You notice that the server response time is high for certain requests. You need to drill down to see which external dependencies (like databases or APIs) are causing the delay. Which Application Insights feature should you use?

FAQ

Questions learners often ask

What does this AZ-204 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Configure a service endpoint for Microsoft.Storage on the subnet and add a firewall rule to allow the subnet, then enable 'Allow trusted Microsoft services'. — Configure a service endpoint for Microsoft.Storage on the subnet and add a firewall rule to allow that subnet. Then, enable the 'Allow trusted Microsoft services' exception so that Azure portal and other management services can still access the storage account. IP-based firewall alone does not provide this management access as securely.

What should I do if I get this AZ-204 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.